Jenkins security advisory (AV26-403) – Canadian Centre for Cyber Security

Serial number: AV26-403
Date: April 29, 2026

On April 29, 2026, Jenkins published a security advisory to address vulnerabilities in the following products:

• Credentials Binding Plugin – version 719.v80e905ef14eb_ and prior
• GitHub Plugin – version 1.46.0 and prior
• GitHub Branch Source Plugin – version 1967.vdea_d580c1a_b_a_ and prior
• HTML Publisher Plugin – version 427 and prior
• Matrix Authorization Strategy Plugin – versions 2.0-beta-1 to 3.2.9
• Microsoft Entra ID (previously Azure AD) Plugin – version 666.v6060de32f87d and prior
• Script Security Plugin – version 1399.ve6a_66547f6e1 and prior

The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates.