Nixpkgs Security Tracker

Login with GitHub

Details of issue NIXPKGS-2026-0272

NIXPKGS-2026-0272
published on 19 Feb 2026
updated 2 days, 12 hours ago by @LeSuisse Activity log
  • Created automatic suggestion
  • @LeSuisse removed
    10 packages
    • jenkins-job-builder
    • python312Packages.jenkinsapi
    • python313Packages.jenkinsapi
    • python314Packages.jenkinsapi
    • python312Packages.python-jenkins
    • python313Packages.python-jenkins
    • python314Packages.python-jenkins
    • python312Packages.jenkins-job-builder
    • python313Packages.jenkins-job-builder
    • python314Packages.jenkins-job-builder
  • @LeSuisse removed
    3 maintainers
    • @coreyoconnor
    • @earldouglas
    • @NeQuissimus
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run …

Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds, and if a specified build exists, its display name.

Affected products

Jenkins
  • *
  • <2.541.*

Matching in nixpkgs

Ignored packages (10)

Package maintainers

Ignored maintainers (3)
Upstream advisory: https://www.jenkins.io/security/advisory/2026-02-18/