CVE-2026-14336

Eclipse · PIA (OIDC issuer allowlist)

The PIA OIDC issuer allowlist for Jenkins tokens is vulnerable to improper validation, using a bare string-prefix check that may allow unauthorized token issuance.

Executive summary

An authentication bypass vulnerability in the Eclipse PIA OIDC issuer allowlist permits unauthorized Jenkins token validation, posing a significant risk to CI/CD pipeline integrity.

Vulnerability

The vulnerability exists because the OIDC issuer allowlist implementation relies on a weak string-prefix check. This flaw may allow an attacker to bypass intended authentication constraints, potentially masquerading as a legitimate OIDC issuer to obtain unauthorized Jenkins tokens.

Business impact

Exploitation of this vulnerability could grant an attacker unauthorized access to Jenkins CI/CD pipelines, enabling code injection, credential theft, or the compromise of sensitive development environments. With a CVSS score of 8.2, the risk to the software supply chain is substantial, potentially leading to unauthorized deployments or internal system compromise.

Remediation

Immediate Action: Apply the vendor-provided security update immediately to replace the weak prefix check with strict, full-string validation.

Proactive Monitoring: Audit Jenkins access logs for unexpected OIDC authentication events or tokens associated with unknown or suspicious issuers.

Compensating Controls: Implement strict network segmentation and reinforce OIDC configuration policies to ensure only trusted issuers are permitted within the CI/CD infrastructure.

Exploitation status

Public Exploit Available: false

Analyst recommendation

This vulnerability represents a high-risk security gap in authentication logic. It is imperative that security teams verify their current configuration and apply the vendor patch as soon as it becomes available to prevent unauthorized access to sensitive build environments.