CVE-2025-64132: 
Java vulnerability analysis and mitigation

The Jenkins MCP Server Plugin vulnerability (CVE-2025-64132) was disclosed on October 29, 2025. This security flaw affects MCP Server Plugin versions 0.84.v50ca_24ef83f2 and earlier, where the plugin fails to perform proper permission checks in multiple MCP tools (Jenkins Project).

The vulnerability has been assigned a Medium severity rating with a CVSS v3.1 base score of 5.4 (MEDIUM). The vulnerability is classified as CWE-862 (Missing Authorization) and involves missing permission checks in several MCP tools. The security issue allows unauthorized access to various functionalities within the Jenkins environment (NVD).

The vulnerability enables three distinct unauthorized actions: 1) Attackers with Item/Read permission can access SCM information in jobs without having Item/Extended Read permission, 2) Attackers with Item/Read permission can trigger new builds without Item/Build permission, and 3) Attackers without Overall/Read permission can retrieve cloud configuration names (Jenkins Project).

Users are advised to update to MCP Server Plugin version 0.86.v7d3355e6aa18, which implements proper permission checks for the affected MCP tools. This version includes fixes that address all the identified permission check vulnerabilities (Jenkins Project).