Permission Bypass in Jenkins Contrast Plugin <=3.11 via attacker-specified URL
CVE-2026-57297 Published on June 24, 2026

A missing permission check in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, API key, and service key.

Vendor Advisory NVD


Products Associated with CVE-2026-57297

Want to know whenever a new CVE is published for Jenkins? stack.watch will email you.

 

Affected Versions

Jenkins Project Jenkins Contrast Continuous Application Security Plugin: