CVE-2026-57289
Analyzed Analyzed - Analysis Complete

Jenkins Bitbucket Plugin SSL Certificate Validation Bypass

Vulnerability report for CVE-2026-57289, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-26

Assigner: Jenkins Project

Description

Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint, allowing attackers able to intercept network traffic to capture the token.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-26
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
jenkins bitbucket_push_and_pull_request to 3.3.9 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows attackers who can intercept network traffic to capture Bearer tokens due to disabled SSL/TLS certificate and hostname validation. Such token exposure can lead to unauthorized access to sensitive data or systems.

Exposure of sensitive authentication tokens may result in non-compliance with data protection standards and regulations such as GDPR and HIPAA, which require protection of personal and health information against unauthorized access.

Executive Summary

The vulnerability exists in Jenkins Bitbucket Push and Pull Request Plugin version 3.3.8 and earlier. It unconditionally disables SSL/TLS certificate and hostname validation for connections that send Bearer token authenticated requests to the configured Bitbucket Server endpoint. This means that the plugin does not verify the authenticity of the server it is communicating with, which allows attackers who can intercept network traffic to capture the Bearer token.

Impact Analysis

This vulnerability can impact you by allowing attackers who are able to intercept your network traffic to capture the Bearer token used for authentication. With this token, attackers could potentially impersonate legitimate users or services, leading to unauthorized access to your Bitbucket Server resources or Jenkins integrations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57289. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart