CVE-2026-57289

EUVD-2026-38770
Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint, allowing attackers able to intercept network traffic to capture the token.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
jenkinsCNA
4.8 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
jenkinsbitbucket_push_and_pull_request
𝑥
≤ 3.3.8
CNA
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3856