PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48924 Jenkins Project CVE debrief

Jenkins Bitbucket OAuth Plugin 0.17 and earlier contains an open redirect vulnerability (CWE-601) that allows attackers to redirect users to arbitrary URLs after authentication. The plugin fails to validate or restrict the redirect URL parameter during the OAuth login flow, enabling phishing attacks where users may be sent to attacker-controlled sites after completing legitimate authentication. This vulnerability was disclosed in the Jenkins security advisory dated 2026-05-27.

Vendor
Jenkins Project
Product
Jenkins Bitbucket OAuth Plugin
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Jenkins administrators using Bitbucket OAuth Plugin for authentication; security teams managing CI/CD infrastructure; developers with Jenkins instances integrated with Bitbucket; organizations relying on OAuth-based SSO for Jenkins access

Technical summary

The Jenkins Bitbucket OAuth Plugin versions 0.17 and earlier fail to implement proper redirect URL validation during the OAuth authentication flow. When a user initiates login via Bitbucket OAuth, the plugin accepts arbitrary redirect destinations without validation, allowing an attacker to craft malicious links that redirect authenticated users to attacker-controlled sites. This can facilitate credential harvesting and phishing campaigns by exploiting user trust in the legitimate Jenkins authentication process. The vulnerability requires user interaction (clicking a malicious link) but no authentication privileges.

Defensive priority

medium

Recommended defensive actions

  • Upgrade Jenkins Bitbucket OAuth Plugin to a version newer than 0.17 when available
  • Review OAuth callback URL configurations in Jenkins security settings
  • Implement additional validation of redirect parameters in custom OAuth integrations
  • Monitor authentication logs for unusual redirect patterns
  • Educate users to verify destination URLs before entering credentials
  • Apply principle of least privilege for Jenkins OAuth application registrations

Evidence notes

Vulnerability confirmed via Jenkins security advisory SECURITY-3761. CVSS 3.1 score of 4.3 (Medium) reflects network attack vector, low attack complexity, no privileges required, user interaction required, and low integrity impact. No confidentiality or availability impact. CWE-601 (URL Redirection to Untrusted Site) identified as the weakness type.

Official resources

2026-05-27