{"id":"CVE-2026-48926","details":"Jenkins Job Import Plugin 143.v044a_2e819b_27 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.","aliases":["GHSA-p8jh-4p5p-2rfp"],"modified":"2026-07-15T06:10:02.032432Z","published":"2026-05-27T15:16:32.310Z","references":[{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3783"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/job-import-plugin","events":[{"introduced":"0"},{"last_affected":"35289550f1e62f2c97ebea6ecf055b23bab35689"},{"introduced":"044a2e819b271dade0106de10291b2fed45836df"},{"last_affected":"044a2e819b271dade0106de10291b2fed45836df"}],"database_specific":{"cpe":["cpe:2.3:a:jenkins:job_import:*:*:*:*:*:jenkins:*:*","cpe:2.3:a:jenkins:job_import:143.v044a_2e819b_27:*:*:*:*:jenkins:*:*"],"extracted_events":[{"introduced":"0"},{"last_affected":"122.v35289550f1e6"},{"introduced":"143.v044a_2e819b_27"},{"last_affected":"143.v044a_2e819b_27"}],"source":["CPE_RANGE","CPE_STRING"]}}],"versions":["143.v044a_2e819b_27","122.v35289550f1e6","job-import-plugin-3.6","job-import-plugin-3.5","job-import-plugin-3.4","job-import-plugin-3.3","job-import-plugin-3.2","job-import-plugin-3.1","job-import-plugin-3.0","job-import-plugin-2.1","job-import-plugin-2.0","job-import-plugin-1.8","job-import-plugin-1.7","job-import-plugin-1.6","job-import-plugin-1.4","job-import-plugin-1.3.1","job-import-plugin-1.3","job-import-plugin-1.2","job-import-plugin-1.1","job-import-plugin-1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48926.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}