Jenkins FitNesse Plugin <=1.36 Exposes Passwords in config.xml (Extended Read)
CVE-2026-57302 Published on June 24, 2026
Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
Vulnerability Analysis
CVE-2026-57302 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
Unprotected Storage of Credentials
Storing a password in plaintext may result in a system compromise. Password management issues occur when a password is stored in plaintext in an application's properties or configuration file. Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource.
Products Associated with CVE-2026-57302
Want to know whenever a new CVE is published for Jenkins? stack.watch will email you.