CVE-2026-57289
MediumCVSS 4.8Exploitation Probability (EPSS)
Low risk1th percentile — higher than 1% of all known CVEs
Summary
Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint, allowing attackers able to intercept network traffic to capture the token.
Risk Assessment
Attackers can capture the authentication token, potentially leading to unauthorized access to Bitbucket repositories and possible privilege escalation in the CI/CD system.
Recommendation
Immediately update the Bitbucket Push and Pull Request Plugin to a version newer than 3.3.8, which restores SSL/TLS certificate validation.
Original NVD description (English source)
Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint, allowing attackers able to intercept network traffic to capture the token.

