Skip to main content

Jenkins Bitbucket OAuth Plugin CVE-2026-48924

| EUVDEUVD-2026-32515 MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-05-27 jenkinsci-cert@googlegroups.com GHSA-r8fj-rff6-f7h5
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:12 vuln.today

DescriptionCVE.org

Jenkins Bitbucket OAuth Plugin 0.17 and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks.

AnalysisAI

Open redirect vulnerability in Jenkins Bitbucket OAuth Plugin 0.17 and earlier enables unauthenticated network attackers to craft login URLs that redirect authenticated victims to arbitrary, attacker-controlled destinations, facilitating phishing campaigns targeting Jenkins users. The plugin fails to validate or restrict the post-login redirect URL parameter, classified under CWE-601. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; the CVSS 4.3 Medium rating reflects network reachability offset by a mandatory user interaction requirement.

Technical ContextAI

CWE-601 (URL Redirection to Untrusted Site / Open Redirect) describes a class of flaws where an application accepts attacker-controlled input as a redirect destination without validating it against a whitelist of trusted URLs. In OAuth-based login flows, a 'redirect_to' or equivalent post-authentication parameter is commonly used to return users to the page they originally requested. The Jenkins Bitbucket OAuth Plugin (versions ≤ 0.17) does not enforce any restriction on this parameter, allowing it to point to an entirely external domain. The affected CPE context is the Jenkins plugin ecosystem: Jenkins itself acts as the CI/CD server, while the Bitbucket OAuth Plugin handles delegated authentication via Bitbucket's OAuth provider. The exploit surface is the login endpoint exposed by the plugin within any Jenkins instance that has enabled Bitbucket OAuth as its authentication mechanism.

RemediationAI

The primary remediation is to upgrade the Jenkins Bitbucket OAuth Plugin to the fixed version released in response to SECURITY-3761, as detailed in the Jenkins Security Advisory at https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3761. Note that the exact fixed version number is not independently confirmed from the available data - consult the advisory directly to identify the minimum safe version and apply it via the Jenkins Plugin Manager. As a compensating control pending upgrade, administrators can restrict access to the Jenkins login URL at the network perimeter (e.g., WAF or reverse proxy rules) to known-good source IPs or internal networks, reducing the attacker's ability to deliver crafted links to users. Additionally, user-awareness measures - such as reminding staff not to click unsolicited Jenkins login links - can reduce phishing success rates. Restricting network exposure does introduce friction for legitimate remote users, so it should be treated as a temporary measure until the patch is applied.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

CVE-2026-48924 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy