CVE Catalog

CVE-2026-57289

MediumCVSS 4.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.11%

1th percentile — higher than 1% of all known CVEs

Summary

Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint, allowing attackers able to intercept network traffic to capture the token.

Risk Assessment

Attackers can capture the authentication token, potentially leading to unauthorized access to Bitbucket repositories and possible privilege escalation in the CI/CD system.

Recommendation

Immediately update the Bitbucket Push and Pull Request Plugin to a version newer than 3.3.8, which restores SSL/TLS certificate validation.

Original NVD description (English source)

Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint, allowing attackers able to intercept network traffic to capture the token.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS