CVE-2026-57289

MEDIUM NVD

CVSS Score 4.8

Severity MEDIUM

Published Jun 24, 2026

Vendor unknown

Description

Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint, allowing attackers able to intercept network traffic to capture the token.

References

https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3856