HOMEVULNERABILITIESCVE-2026-42521
MEDIUM

CVE-2026-42521

CWE-502Published: April 29, 2026· Updated: Apr 30, 2026

6.5
CVSS v3.1
EPSS:0.04%probability of exploitation in 30 daysPercentile:10.6th

Official Description

Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers with Item/Configure permission to instantiate arbitrary types, which may lead to information disclosure or other impacts depending on the classes available on the classpath.

NVD Source

Technical Analysis

CVE-2026-42521 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in full integrity compromise (data manipulation), with a CVSS base score of 6.5.

From a weakness classification perspective (CWE-502): Insecure deserialization vulnerabilities allow attackers to inject malicious objects during deserialization, potentially enabling remote code execution.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityHigh
AvailabilityNone
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (1)

Quick Facts

CVE IDCVE-2026-42521
CVSS Score6.5 / 10
SeverityMEDIUM
WeaknessCWE-502
CISA KEVNo
EPSS (30d)0.04%
PublishedApr 29, 2026

Related CVEs (CWE-502)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-42521 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.