Skip to main content

Contrast Security Plugin CVE-2026-57298

| EUVDEUVD-2026-38779 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-24 jenkins GHSA-6qc4-57v3-28rr
5.4
CVSS 3.1 · Vendor: jenkins
Share

Severity by source

Vendor (jenkins) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

CSRF requires no attacker privileges (PR:N) but mandates victim browser interaction (UI:R); limited credential/connection control yields C:L/I:L with no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (jenkins).

CVSS VectorVendor: jenkins

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 24, 2026 - 16:25 vuln.today
CVSS changed
Jun 24, 2026 - 16:22 NVD
5.4 (None) 5.4 (MEDIUM)
CVE Published
Jun 24, 2026 - 13:20 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

A cross-site request forgery (CSRF) vulnerability in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers to have Jenkins connect to an attacker-specified URL using an attacker-specified username, API key, and service key.

AnalysisAI

Cross-site request forgery in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows a remote attacker to force a Jenkins instance to establish outbound connections to an arbitrary attacker-controlled URL, supplying attacker-chosen credentials including a username, API key, and service key. Any authenticated Jenkins user can be the unwitting victim if tricked into visiting a crafted page while logged in. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts malicious web page with forged Jenkins request
Delivery
Social-engineer authenticated Jenkins user to visit page
Exploit
Browser auto-submits CSRF request to Jenkins Contrast plugin endpoint
Execution
Jenkins accepts forged configuration with attacker URL and credentials
Persist
Jenkins initiates outbound connection to attacker-controlled host
Impact
Attacker observes connection and supplied credential parameters

Vulnerability AssessmentAI

Exploitation The victim must be an authenticated Jenkins user (any role that has permission to access or trigger the Contrast plugin configuration endpoint) and must visit an attacker-controlled page while their Jenkins session is active in the same browser. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N scores 5.4 Medium. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a Jenkins instance using the Contrast plugin and social-engineers a logged-in Jenkins user into visiting a malicious web page. That page silently submits a forged POST request to the Jenkins Contrast plugin configuration endpoint, substituting the Contrast service URL and credentials with attacker-controlled values. …
Remediation Upgrade the Contrast Continuous Application Security Plugin to a version higher than 3.11 as directed by the Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3697%20(1). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57298 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy