Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CSRF requires no attacker privileges (PR:N) but mandates victim browser interaction (UI:R); limited credential/connection control yields C:L/I:L with no availability impact.
Primary rating from Vendor (jenkins).
CVSS VectorVendor: jenkins
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
A cross-site request forgery (CSRF) vulnerability in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers to have Jenkins connect to an attacker-specified URL using an attacker-specified username, API key, and service key.
AnalysisAI
Cross-site request forgery in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows a remote attacker to force a Jenkins instance to establish outbound connections to an arbitrary attacker-controlled URL, supplying attacker-chosen credentials including a username, API key, and service key. Any authenticated Jenkins user can be the unwitting victim if tricked into visiting a crafted page while logged in. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The victim must be an authenticated Jenkins user (any role that has permission to access or trigger the Contrast plugin configuration endpoint) and must visit an attacker-controlled page while their Jenkins session is active in the same browser. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N scores 5.4 Medium. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a Jenkins instance using the Contrast plugin and social-engineers a logged-in Jenkins user into visiting a malicious web page. That page silently submits a forged POST request to the Jenkins Contrast plugin configuration endpoint, substituting the Contrast service URL and credentials with attacker-controlled values. … |
| Remediation | Upgrade the Contrast Continuous Application Security Plugin to a version higher than 3.11 as directed by the Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3697%20(1). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Missing authorization checks in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allow any authe
Missing authorization in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier permits any authentica
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38779
GHSA-6qc4-57v3-28rr