→ Back to Home
Jenkins / CI

Critical Jenkins OIDC Vulnerability Exposes CI/CD Pipelines to SSRF Attacks

A critical security vulnerability, identified as CVE-2026-14336, has been disclosed, affecting Jenkins installations that integrate with PIA's OpenID Connect (OIDC) issuer allowlist. The flaw stems from an insufficient validation mechanism within PIA's handling of OIDC issuer URLs. Specifically, the allowlist relies on a simple string-prefix check (e.g., `issuer.startswith('https://ci.eclipse.org')`) rather than a robust validation of the URL's host boundary. This weakness allows an unauthenticated attacker to craft malicious issuer URLs, such as `https://ci.eclipse.org@evil.host` or `https://ci.eclipse.org.evil.host`. These specially crafted URLs can bypass the prefix check while redirecting OIDC discovery and JSON Web Key Set (JWKS) fetches to a server controlled by the attacker. The immediate consequence is that an unauthenticated caller making a `POST` request to `/v1/upload/sbom` can force the PIA integration within Jenkins to initiate outbound HTTP(S) connections to an arbitrary, attacker-controlled server. This vulnerability is highly significant for practitioners managing CI/CD pipelines, particularly those leveraging Jenkins with OIDC for authentication and authorization. The ability for an unauthenticated actor to trigger outbound connections from a CI/CD system represents a severe Server-Side Request Forgery (SSRF) risk. An SSRF attack can be a potent initial foothold for adversaries, enabling them to scan internal networks, access sensitive internal services not exposed to the public internet, or exfiltrate confidential data from the build environment. Given that CI/CD systems often have elevated privileges and access to source code, credentials, and deployment targets, any compromise can have cascading effects across the entire software supply chain. The 'unauthenticated caller' aspect makes this a particularly dangerous vulnerability, as it lowers the bar for exploitation. This incident underscores a persistent and growing trend in cloud and DevOps security: the increasing targeting of CI/CD infrastructure. As organizations accelerate their software delivery through automation, CI/CD pipelines become central to their operational security posture. Flaws in authentication mechanisms, such as OIDC, are particularly attractive to attackers because they can grant broad access. This vulnerability aligns with a broader pattern of supply chain attacks, where compromising a foundational component like a build server or its integrations can lead to widespread impact. Recent years have seen a heightened focus on securing every stage of the software development lifecycle, from code commit to deployment, with OIDC and token management being critical points of control. The industry continues to grapple with the complexities of securely integrating diverse tools and services, where a seemingly minor validation oversight can lead to major security breaches. In practice, organizations using Jenkins with PIA's OIDC integration must immediately assess their exposure to CVE-2026-14336. The primary recommendation is to apply any available patches or updates from the vendor that address this specific vulnerability. Beyond immediate patching, practitioners should review their OIDC configurations to ensure strict and comprehensive URL validation, moving beyond simple prefix checks to fully qualified domain name (FQDN) or certificate-based validation where possible. Implementing robust network segmentation for CI/CD infrastructure is crucial, limiting outbound access from Jenkins servers only to necessary endpoints. Furthermore, monitoring outbound network connections from CI/CD systems for anomalous activity can help detect attempted exploitation. Finally, adopting a principle of least privilege for all service accounts and integrations within the CI/CD pipeline remains a fundamental security best practice to minimize the blast radius of any successful attack.
#jenkins#security#cve#oidc#vulnerability#ci/cd#ssrf
Read original source