Last checked and updated on 03 May 2026What Is New in Jenkins 2.555.x
Jenkins 2.555.x is a significant milestone release that drops Java 17 support entirely and requires Java 21 or Java 25 to run. Beyond the runtime requirement shift, this release delivers security hardening through updated Spring Framework and Spring Security libraries, plus a long-standing multibranch Pipeline regression fix.
| Category | Summary |
|---|---|
| Breaking Change | Java 21 or Java 25 required -- Java 17 no longer supported. Java 17 Docker controller images removed. |
| Security / Framework | Spring Framework updated to 6.2.17, Spring Security updated to 6.5.9 |
| Bug Fix | Multibranch Pipeline folder scan regression (introduced in 2.547) resolved |
| Permissions | Overall/Manage permission now enabled by default |
| Security (CSRF) | Client IP address removed from CSRF crumb calculation; proxy compatibility always active |
| API Tokens | Expiration dates now supported on API tokens |
| UI | Clouds page redesigned; various sidebar and button fixes |
| CSP | Option to fully disable CSP headers for unusual proxy-heavy setups |
| Build Reliability | Builds no longer fail when tool installation directory is read-only |
| Remoting | Minimum supported remoting.jar bumped to 3176.v207ec082a_8c0 |
Why Does Jenkins 2.555.1 Drop Java 17?
The Jenkins project is following its 2+2+2 Java support plan, which rotates Java LTS support on a structured timeline. Java 17 has been in the supported matrix long enough -- Java 21 is now the minimum, and Java 25 (the next LTS) is also accepted. This is not a surprise deprecation; the roadmap has been communicated through the Jenkins blog post on the 2+2+2 plan.
In practice, most CI/CD infrastructure running Jenkins has already moved to Java 21 JVMs given it has been the current LTS since 2023. If you are still pinned to Java 17, plan your JVM upgrade before deploying this release. The Docker official images have also dropped Java 17 controller tags, so any pipeline pulling jenkins/jenkins:lts-jdk17 will need to be updated.
What Changed in Spring Framework and Spring Security?
Jenkins 2.555.1 ships Spring Framework 6.2.17 (up from 6.2.16) and Spring Security 6.5.9 (up from 6.5.8). Both are patch-level updates that carry bug fixes and CVE remediations from the respective upstream projects. For a Jenkins admin, there is no configuration change required -- these are transitive dependency upgrades baked into the WAR.
This matters because Jenkins relies heavily on Spring for its web layer and authentication machinery. Staying current on these libraries keeps the attack surface minimal without requiring plugin changes or custom configuration. The linked upstream release notes detail exactly which CVEs and fixes are bundled.
What Was the Multibranch Pipeline Regression and Is It Fixed?
A regression introduced in Jenkins 2.547 broke folder-level scans for Multibranch Pipelines -- specifically, triggering a scan from a parent folder stopped working correctly. If your team noticed that multibranch jobs were not auto-discovering branches after upgrading through that range, this was the cause. Jenkins 2.555.1 resolves it via issue 26516.
In practice, workarounds like triggering scans directly at the Multibranch item level or manually indexing branches are no longer needed after this fix. Folder-level scan triggers should behave as they did prior to 2.547.
What Changed With CSRF Protection and the Overall/Manage Permission?
Two security-adjacent changes landed in the 2.541.3-to-2.555 window. First, the CSRF crumb calculation no longer includes the client IP address. This means Jenkins behaves as if the old "Enable proxy compatibility" option was permanently switched on -- useful for environments behind load balancers or reverse proxies where the client IP seen by Jenkins varies per request. If you had the hudson.security.csrf.DefaultCrumbIssuer.EXCLUDE_SESSION_ID flag set, Jenkins will now show a warning to administrators about the reduced safety this flag implies and signals its future removal.
Second, the Overall/Manage permission is now enabled by default. This permission allows trusted users to configure specific global Jenkins settings without granting them the ability to run arbitrary code on the controller. It is a meaningful step toward proper least-privilege delegation -- giving ops engineers the ability to manage things like log recorders or agent configuration without handing them full admin rights.
What Else Changed in This Release Series?
API Token Expiration
API tokens can now carry an expiration date. Previously, Jenkins API tokens were permanent once issued, which made rotation a manual, enforcement-heavy process. With expiration support, teams can issue short-lived tokens for automation pipelines and enforce TTL policies natively inside Jenkins without external tooling.
Revamped Clouds Page
The Clouds configuration page has been redesigned. If your team manages dynamic agent provisioning through Kubernetes, Docker, or EC2 cloud plugins, the reconfigured UI should make navigating and editing cloud configurations faster. This is a UI-layer change with no behavior impact on existing cloud configurations.
CSP Header Opt-Out
A new option allows administrators to entirely disable Content Security Policy headers. This is explicitly a workaround for configurations where unusually long HTTP response headers -- for example from deeply nested CSP directives generated by plugins -- cause downstream proxy failures. Disabling CSP is a targeted escape hatch, not a general recommendation.
Read-Only Tool Installation Directory
Previously, if Jenkins tried to install a tool (JDK, Maven, etc.) into a directory that turned out to be read-only, the build would fail hard. This is now handled gracefully -- the build continues rather than aborting. This helps container-based agents where tool directories are baked into images and should not be written to at runtime (JENKINS-16005, open since 2012).
Sidebar and UI Fixes
Sidebar navigation now correctly handles non-ASCII localized section headers, fixing a visual glitch for Jenkins instances in non-Latin locales. The "License and dependency information" plugin page no longer returns 404s when clicking plugin names. Primary button text color in administrative monitors is also corrected.
FAQ
Can I run Jenkins 2.555.1 on Java 17 with a flag or workaround?
No. Java 17 support has been fully removed -- there is no flag, environment variable, or compatibility shim to bring it back. The JVM startup will fail. You need to provision Java 21 or Java 25 on your controller host and update your JAVA_HOME accordingly before deploying this release.
My Multibranch Pipeline scans stopped working after upgrading to a 2.547--2.554 build. Does upgrading to 2.555.1 fix this?
Yes. The regression that broke folder-level multibranch scans was introduced in 2.547 and the fix landed in 2.555.1 (issue 26516). Upgrading directly to 2.555.1 from a pre-2.547 version skips the broken range entirely. If you are already on 2.547--2.554, upgrading to 2.555.1 restores the expected behavior.
Will removing the client IP from the CSRF crumb break anything for us?
It is unlikely to break anything and may actually fix intermittent CSRF errors for setups behind load balancers or reverse proxies. The old behavior -- where the crumb was tied to the originating IP -- caused failures when the visible IP changed between the crumb-fetch request and the form submission. The new behavior is effectively "proxy compatibility always on," which is the safer default for modern Jenkins deployments.
How do API token expiration dates work -- do existing tokens get an expiration set automatically?
No, existing tokens are not retroactively given an expiration date. The expiration field is opt-in when creating new tokens. Tokens issued before this feature existed remain valid indefinitely unless revoked manually. To enforce expiration across your instance, you will need to rotate old tokens and reissue them with an explicit TTL.
We use the official Jenkins Docker image pinned to a jdk17 tag. What should we do?
Switch to a jdk21 or jdk21-preview image tag. The jdk17 and related Java 17 controller images have been removed from the Docker Hub repository for Jenkins 2.555.x and later. Update your FROM line in any Dockerfile extending the Jenkins base image, and test your plugin set against Java 21 before rolling out to production.