Permission Bypass in Jenkins Contrast Plugin <=3.11 via attacker-specified URL
CVE-2026-57297 Published on June 24, 2026
A missing permission check in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, API key, and service key.
Products Associated with CVE-2026-57297
Want to know whenever a new CVE is published for Jenkins? stack.watch will email you.
Affected Versions
Jenkins Project Jenkins Contrast Continuous Application Security Plugin:- Before and including 3.11 is affected.