CVE-2026-57289
Received Received - Intake
Jenkins Bitbucket Plugin SSL Certificate Validation Bypass

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: Jenkins Project

Description
Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint, allowing attackers able to intercept network traffic to capture the token.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-57289
EUVD
EUVD-2026-38770
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jenkinsci bitbucket_push_and_pull_request_plugin to 3.3.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in Jenkins Bitbucket Push and Pull Request Plugin version 3.3.8 and earlier. It unconditionally disables SSL/TLS certificate and hostname validation for connections that send Bearer token authenticated requests to the configured Bitbucket Server endpoint. This means that the plugin does not verify the authenticity of the server it is communicating with, which allows attackers who can intercept network traffic to capture the Bearer token.

Compliance Impact

This vulnerability allows attackers who can intercept network traffic to capture Bearer tokens due to disabled SSL/TLS certificate and hostname validation. Such token exposure can lead to unauthorized access to sensitive data or systems.

Exposure of sensitive authentication tokens may result in non-compliance with data protection standards and regulations such as GDPR and HIPAA, which require protection of personal and health information against unauthorized access.

Impact Analysis

This vulnerability can impact you by allowing attackers who are able to intercept your network traffic to capture the Bearer token used for authentication. With this token, attackers could potentially impersonate legitimate users or services, leading to unauthorized access to your Bitbucket Server resources or Jenkins integrations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57289. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart