Jenkins FitNesse Plugin <=1.36 Exposes Passwords in config.xml (Extended Read)
CVE-2026-57302 Published on June 24, 2026

Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-57302 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

Unprotected Storage of Credentials

Storing a password in plaintext may result in a system compromise. Password management issues occur when a password is stored in plaintext in an application's properties or configuration file. Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource.


Products Associated with CVE-2026-57302

Want to know whenever a new CVE is published for Jenkins? stack.watch will email you.

 

Affected Versions

Jenkins Project Jenkins FitNesse Plugin Version 1.36 is affected by CVE-2026-57302