Security Advisory - Published 2026-06-11 - Jenkins / Splunk

Jenkins and Splunk CVEs: CI and logging platform self-check

Jenkins and Splunk often sit close to secrets, build artifacts, logs, and production access. This batch needs fast version checks because a compromise of either platform can reach far beyond the web UI.

Defensive scope: this page covers version confirmation, access review, suspicious configuration changes, and patching. It does not include attack chains or testing steps for systems outside your ownership or approval.

What is affected

CVEProductAffected versionsFix
CVE-2026-53435Jenkins coreWeekly up to 2.567, LTS up to 2.555.22.568 or LTS 2.555.3
CVE-2026-20251Splunk Secure GatewaySplunk Enterprise with vulnerable Secure Gateway app versions.Enterprise 10.2.4 / 10.0.7 / 9.4.12 / 9.3.13 and Secure Gateway 3.10.6 / 3.9.20 / 3.8.67
CVE-2026-20253Splunk Enterprise / Splunk Cloud PlatformEnterprise below 10.2.4 / 10.0.7; Cloud below 10.4.2604.3 / 10.2.2510.14Vendor fixed versions

Jenkins checks

java -jar jenkins-cli.jar -s https://jenkins.example who-am-i
curl -sI https://jenkins.example/login | head

Confirm the Jenkins version from the admin UI or package manager. Then review users with Overall/Read plus configure-style permissions, recent config.xml changes, new jobs, new credentials, and Script Console usage around the advisory window.

Splunk checks

$SPLUNK_HOME/bin/splunk version
$SPLUNK_HOME/bin/splunk list app
ss -ltnp | grep -i splunk
grep -Rni -E "jsonpickle|secure gateway|spacebridge" "$SPLUNK_HOME/etc/apps" 2>/dev/null | head -50

Review whether Splunk sidecar or management services are reachable from untrusted networks. If Splunk Secure Gateway is installed, confirm the app version separately and disable or remove it when it is not used. Check for unexpected file changes, new apps, suspicious REST activity, and admin logins near the first public advisory.

Safe fix path

  1. Upgrade Jenkins and Splunk to the vendor fixed versions.
  2. Disable or remove Splunk Secure Gateway if the environment does not need it.
  3. Restrict access to administrative interfaces before and during the patch window.
  4. Review credentials, API tokens, service accounts, and recently modified jobs or apps.
  5. Keep logs for incident review before rotating or deleting evidence.
  6. After patching, restart services and confirm the running version, not just installed packages.

Ping7 repair path

Ping7 can review Jenkins and Splunk exposure, admin permissions, suspicious changes, and post-patch verification for owned or client-approved systems. Start from CVE Repair and include the platform version, deployment type, and whether the admin interface is internet-facing.

References