Skip to main content

Jenkins Contrast Plugin CVE-2026-57297

| EUVDEUVD-2026-38778 MEDIUM
Missing Authorization (CWE-862)
2026-06-24 jenkins GHSA-p44q-fmwr-jqr7
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-reachable endpoint requires only low-privilege Jenkins auth (PR:L); no confidentiality or availability impact, only unauthorized outbound connection initiation (I:L).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 26, 2026 - 04:30 vuln.today
CVSS changed
Jun 26, 2026 - 02:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 24, 2026 - 13:20 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

A missing permission check in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, API key, and service key.

AnalysisAI

Missing authorization in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier permits any authenticated Jenkins user holding the minimal Overall/Read permission to invoke a connection test endpoint with fully attacker-controlled URL, username, API key, and service key. This enables the Jenkins server to make arbitrary outbound HTTP connections - a Server-Side Request Forgery (SSRF)-class impact - without the elevated privileges that should guard such functionality. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Jenkins with Overall/Read
Delivery
Identify Contrast plugin installation
Exploit
Submit crafted connection-test request with attacker-controlled URL
Execution
Jenkins server initiates outbound HTTP connection
Impact
Attacker server receives request and probes internal topology

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid Jenkins account with at minimum Overall/Read permission - the baseline permission granted to almost all authenticated Jenkins users in most deployments. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N accurately reflects the bounded impact: exploitation is network-accessible and requires no special configuration complexity, but does require a valid Jenkins account with at least Overall/Read - the lowest meaningful Jenkins permission tier. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Jenkins user with only Overall/Read permission crafts a request to the Contrast plugin's connection-test form action, substituting an attacker-controlled server address for the legitimate Contrast platform URL along with arbitrary credential values. Jenkins executes the outbound connection on behalf of the attacker, allowing them to confirm internal network reachability of target hosts, harvest timing information about internal services, or receive the supplied API/service key material at their server.
Remediation Patch available per vendor advisory - consult the Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3697%20(1) for the specific patched plugin version and update the plugin via Jenkins Plugin Manager. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57297 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy