CVE-2026-57306
MediumCVSS 4.2Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
A CSRF vulnerability in Jenkins Zowe zDevOps Plugin version 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Risk Assessment
The risk involves potential theft of sensitive credentials (e.g., passwords, API tokens) stored in Jenkins, which could enable unauthorized access to other systems and resources.
Recommendation
It is recommended to immediately update the Zowe zDevOps plugin to the latest available version that fixes this vulnerability, and to implement CSRF protection mechanisms such as synchronization tokens.
Original NVD description (English source)
A cross-site request forgery (CSRF) vulnerability in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

