Jenkins advisory fixes High-severity stored XSS in node "mark temporarily offline" description

What happened

Jenkins published a security advisory dated 2026-02-18 covering two Jenkins core issues, including SECURITY-3669 / CVE-2026-27099, a High-severity stored XSS bug in how Jenkins renders the user-provided description for the "Mark temporarily offline" node offline cause.

The advisory explains that since Jenkins 2.483, offline-cause descriptions are defined as containing HTML and are rendered as such; affected versions do not escape the user-provided description for that specific offline-cause path, enabling stored XSS by authorized users.

The same advisory also includes SECURITY-3658 / CVE-2026-27100 (Medium), where affected versions accept Run Parameter values referencing builds the submitting user cannot access, allowing limited build/job existence and display-name information disclosure.

Who is impacted

• Organizations running Jenkins weekly versions up to and including 2.550.
• Organizations running Jenkins LTS versions up to and including 2.541.1.
• For CVE-2026-27099, impact is greatest where users or automation have Agent/Configure or Agent/Disconnect permissions and where Jenkins UI content is viewed by higher-privileged users (typical in shared CI environments).

What to do now

• Upgrade Jenkins weekly to 2.551.
• Upgrade Jenkins LTS to 2.541.2.
• If you are on Jenkins 2.539+ (including LTS 2.541.1) and cannot upgrade immediately, enforce Content Security Policy (CSP) protection as a mitigation noted by Jenkins (still treat upgrading as the primary fix).
• Review and tighten Jenkins RBAC around node (agent) management permissions (Agent/Configure, Agent/Disconnect) to reduce the number of principals that can reach the vulnerable stored-XSS input.

Additional Information

• Advisory: Jenkins Security Advisory 2026-02-18 (covers CVE-2026-27099 and CVE-2026-27100).
• Fixed versions per advisory: weekly 2.551, LTS 2.541.2.
• Affected versions per advisory: weekly <= 2.550, LTS <= 2.541.1.