Headline
GHSA-mrpq-9jr3-rqq9: Jenkins MCP Server Plugin does not perform permission checks in multiple MCP tools
Jenkins MCP Server Plugin 0.84.v50ca_24ef83f2 and earlier does not perform permission checks in several MCP tools.
This allows to do the following:
Attackers with Item/Read permission can obtain information about the configured SCM in a job despite lacking Item/Extended Read permission (
getJobScm).Attackers with Item/Read permission can trigger new builds of a job despite lacking Item/Build permission (
triggerBuild).Attackers without Overall/Read permission can retrieve the names of configured clouds (
getStatus).
MCP Server Plugin 0.86.v7d3355e6a_a_18 performs permission checks for the affected MCP tools.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-64132
Jenkins MCP Server Plugin does not perform permission checks in multiple MCP tools
Moderate severity GitHub Reviewed Published Oct 29, 2025 to the GitHub Advisory Database • Updated Oct 29, 2025
Package
maven io.jenkins.plugins:mcp-server (Maven)
Affected versions
< 0.86.v7d3355e6a
Patched versions
0.86.v7d3355e6a
Jenkins MCP Server Plugin 0.84.v50ca_24ef83f2 and earlier does not perform permission checks in several MCP tools.
This allows to do the following:
Attackers with Item/Read permission can obtain information about the configured SCM in a job despite lacking Item/Extended Read permission (getJobScm).
Attackers with Item/Read permission can trigger new builds of a job despite lacking Item/Build permission (triggerBuild).
Attackers without Overall/Read permission can retrieve the names of configured clouds (getStatus).
MCP Server Plugin 0.86.v7d3355e6a_a_18 performs permission checks for the affected MCP tools.
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-64132
- https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3622
- jenkinsci/mcp-server-plugin@59de6a2
Published to the GitHub Advisory Database
Oct 29, 2025
Last updated
Oct 29, 2025