CVE-2026-48924
Analyzed Analyzed - Analysis Complete
Jenkins Bitbucket OAuth Plugin Open Redirect Vulnerability

Publication date: 2026-05-27

Last updated on: 2026-05-28

Assigner: Jenkins Project

Description
Jenkins Bitbucket OAuth Plugin 0.17 and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-28
Generated
2026-06-16
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-48924
EUVD
EUVD-2026-32515
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jenkins bitbucket_oauth to 0.17 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Jenkins Bitbucket OAuth Plugin 0.17 and earlier allows attackers to perform phishing attacks by not restricting the redirect URL after login.

Such phishing attacks can potentially lead to unauthorized access or credential theft, which may result in violations of data protection regulations like GDPR or HIPAA if personal or sensitive data is compromised.

However, the provided information does not explicitly state the direct impact on compliance with these standards.

Executive Summary

The Jenkins Bitbucket OAuth Plugin version 0.17 and earlier has a vulnerability where it does not restrict the redirect URL after login.

This flaw allows attackers to manipulate the redirect URL, potentially leading users to malicious sites.

As a result, attackers can perform phishing attacks by redirecting users to fraudulent websites after they log in.

Impact Analysis

This vulnerability can impact you by enabling attackers to redirect authenticated users to malicious websites.

Such phishing attacks can lead to credential theft, unauthorized access, or other security breaches.

It undermines the trust in the login process and can compromise the security of your Jenkins environment.

Detection Guidance

This vulnerability affects Jenkins Bitbucket OAuth Plugin version 0.17 and earlier, where the redirect URL after login is not restricted, enabling phishing attacks.

To detect this vulnerability on your system, first verify the version of the Jenkins Bitbucket OAuth Plugin installed.

  • Check the installed plugin version in Jenkins by navigating to Manage Jenkins > Manage Plugins > Installed tab.
  • Alternatively, use Jenkins CLI or API to list installed plugins and their versions.
  • No specific network commands are provided to detect exploit attempts related to this vulnerability.
Mitigation Strategies

To mitigate this vulnerability, upgrade the Jenkins Bitbucket OAuth Plugin to a version later than 0.17 where the redirect URL restriction is properly enforced.

Until an upgrade is possible, consider restricting access to the Jenkins instance to trusted users only and monitor for suspicious login redirect behavior.

Educate users to be cautious of unexpected redirects after login to prevent phishing attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48924. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart