CVE-2026-57307
MediumCVSS 4.2Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
A missing permission check in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Risk Assessment
The risk involves potential theft of sensitive credentials (e.g., passwords, tokens) by an attacker with only basic system access, which could enable further unauthorized access to other systems.
Recommendation
Immediately update the Zowe zDevOps plugin to a version later than 1.1.3.50.ve350c9b_450b_1, which fixes the missing permission check.
Original NVD description (English source)
A missing permission check in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

