Missing Authorization Affecting io.jenkins.plugins:mcp-server package, versions [,0.86.v7d3355e6a_a_18)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Missing Authorization vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JAVA-IOJENKINSPLUGINS-13775567
- published30 Oct 2025
- disclosed29 Oct 2025
- creditKevin Guerroudj
Introduced: 29 Oct 2025
NewCVE-2025-64132 (opens in a new tab)How to fix?
Upgrade io.jenkins.plugins:mcp-server to version 0.86.v7d3355e6a_a_18 or higher.
Overview
io.jenkins.plugins:mcp-server is a The MCP (Model Context Protocol) Server Plugin for Jenkins implements the server-side component of the Model Context Protocol. This plugin enables Jenkins to act as an MCP server, providing context, tools, and capabilities to MCP clients, such as LLM-powered applications or IDEs.
Affected versions of this package are vulnerable to Missing Authorization via the getJobScm, triggerBuild, and getStatus functions. An attacker can access sensitive information about configured SCMs, trigger unauthorized builds, or retrieve the names of configured clouds by exploiting insufficient permission checks.