Skip to main content

Jenkins Bitbucket Plugin CVE-2026-57289

| EUVDEUVD-2026-38770 MEDIUM
Improper Certificate Validation (CWE-295)
2026-06-24 jenkins GHSA-jwhr-h7pc-3974
4.8
CVSS 3.1 · Vendor: jenkins
Share

Severity by source

Vendor (jenkins) PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
4.8 MEDIUM

Network vector because Jenkins contacts Bitbucket over HTTPS; AC:H for required MitM positioning; PR:N as attacker needs no credentials; C:L/I:L for token capture and potential request manipulation; no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (jenkins).

CVSS VectorVendor: jenkins

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 24, 2026 - 16:21 vuln.today
CVSS changed
Jun 24, 2026 - 15:22 NVD
4.8 (None) 4.8 (MEDIUM)
CVE Published
Jun 24, 2026 - 13:20 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint, allowing attackers able to intercept network traffic to capture the token.

AnalysisAI

Jenkins Bitbucket Push and Pull Request Plugin versions 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for all outbound Bearer token authenticated requests to configured Bitbucket Server endpoints, creating a man-in-the-middle exposure. Any attacker positioned to intercept network traffic on the path between the Jenkins controller and the Bitbucket Server can capture the Bearer token and subsequently authenticate directly to the Bitbucket Server API. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Achieve network MitM position
Delivery
Intercept Jenkins-to-Bitbucket HTTPS connection
Exploit
Present fraudulent TLS certificate (accepted unconditionally)
Execution
Capture Bearer token from Authorization header
Impact
Authenticate to Bitbucket Server API as Jenkins service account

Vulnerability AssessmentAI

Exploitation The vulnerability is triggered unconditionally whenever the Jenkins Bitbucket Push and Pull Request Plugin version 3.3.8 or earlier sends any Bearer token authenticated request to the configured Bitbucket Server endpoint - no special plugin configuration, non-default setting, or specific workflow is required; installing the plugin with a Bitbucket Server URL configured is sufficient to be exposed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N, score 4.8) is internally consistent: high attack complexity (AC:H) reflects the prerequisite of network interception positioning, while the absence of required privileges (PR:N) on the attacker side correctly captures that no Jenkins or Bitbucket credentials are needed to exploit the flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same network segment as the Jenkins controller - or with access to a network device on the path to the Bitbucket Server - performs ARP spoofing or DNS manipulation to position themselves as a MitM. When the plugin sends an outbound HTTPS request to the Bitbucket Server endpoint with the Bearer token in the Authorization header, the attacker presents a self-signed certificate; because hostname and certificate validation are unconditionally disabled, the plugin accepts the connection without error and transmits the token in plaintext to the attacker. …
Remediation Administrators should consult the Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3856 to identify the patched plugin release and upgrade immediately via the Jenkins Plugin Manager (Manage Jenkins → Plugins → Available updates). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57289 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy