The default crumb issuer for Jenkins uses an MD5 hash of some state data to create a crumb for users. This may be hypothetically vulnerable to brute forcing of MD5 hashes to form a valid crumb if the crumb's state is predictable to some level of detail (unsure on the specifics, hence why it's just hypothetical). This is most predictable when the administrator excludes remote IP address and session ID information from being used to seed the crumb, so it's a somewhat contrived scenario potentially. This can be hardened by simply updating the message digest algorithm chosen. Since all JDKs must support SHA-256 as well, this seems like a reasonable update.