Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Jenkins Bitbucket OAuth Plugin 0.17 and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks.
AnalysisAI
Open redirect vulnerability in Jenkins Bitbucket OAuth Plugin 0.17 and earlier enables unauthenticated network attackers to craft login URLs that redirect authenticated victims to arbitrary, attacker-controlled destinations, facilitating phishing campaigns targeting Jenkins users. The plugin fails to validate or restrict the post-login redirect URL parameter, classified under CWE-601. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; the CVSS 4.3 Medium rating reflects network reachability offset by a mandatory user interaction requirement.
Technical ContextAI
CWE-601 (URL Redirection to Untrusted Site / Open Redirect) describes a class of flaws where an application accepts attacker-controlled input as a redirect destination without validating it against a whitelist of trusted URLs. In OAuth-based login flows, a 'redirect_to' or equivalent post-authentication parameter is commonly used to return users to the page they originally requested. The Jenkins Bitbucket OAuth Plugin (versions ≤ 0.17) does not enforce any restriction on this parameter, allowing it to point to an entirely external domain. The affected CPE context is the Jenkins plugin ecosystem: Jenkins itself acts as the CI/CD server, while the Bitbucket OAuth Plugin handles delegated authentication via Bitbucket's OAuth provider. The exploit surface is the login endpoint exposed by the plugin within any Jenkins instance that has enabled Bitbucket OAuth as its authentication mechanism.
RemediationAI
The primary remediation is to upgrade the Jenkins Bitbucket OAuth Plugin to the fixed version released in response to SECURITY-3761, as detailed in the Jenkins Security Advisory at https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3761. Note that the exact fixed version number is not independently confirmed from the available data - consult the advisory directly to identify the minimum safe version and apply it via the Jenkins Plugin Manager. As a compensating control pending upgrade, administrators can restrict access to the Jenkins login URL at the network perimeter (e.g., WAF or reverse proxy rules) to known-good source IPs or internal networks, reducing the attacker's ability to deliver crafted links to users. Additionally, user-awareness measures - such as reminding staff not to click unsolicited Jenkins login links - can reduce phishing success rates. Restricting network exposure does introduce friction for legitimate remote users, so it should be treated as a temporary measure until the patch is applied.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32515
GHSA-r8fj-rff6-f7h5