Description
GitBucket 4.23.1 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands by exploiting weak secret token generation and insecure file upload functionality. Attackers can brute-force the Blowfish encryption key, upload a malicious JAR plugin via the git-lfs endpoint, and execute system commands through an exposed exploit endpoint.
Published: 2026-05-17
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitBucket version 4.23.1 is vulnerable to unauthenticated remote code execution. The weakness stems from weak generation of secret tokens and an insecure file upload mechanism that allows an attacker to brute‑force the Blowfish encryption key used to protect uploads. By uploading a malicious JAR plugin through the git-lfs endpoint and leveraging an exposed exploit endpoint, an attacker can execute arbitrary system commands, compromising confidentiality, integrity, and availability of the affected host.

Affected Systems

The issue affects GitBucket 4.23.1 as released by the vendor gitbucket. No other major versions are listed as affected in the supplied data.

Risk and Exploitability

A CVSS score of 9.3 marks this vulnerability as critical, and it is not listed in the CISA KEV catalog. The exploit requires no authentication and can be performed remotely via standard HTTP(S) calls to the GitBucket web interface, making it broadly exploitable for anyone with network access to the instance. No EPSS score is available, but the lack of authentication combined with the high severity suggests a high likelihood of exploitation.

Generated by OpenCVE AI on May 17, 2026 at 13:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GitBucket to a patched release that removes the weak token generation and secures file uploads
  • If upgrading immediately is impossible, block external access to the git-lfs endpoint and disable plugin uploads to prevent malicious JAR injection
  • Ensure that any configuration files use robust secret generation methods and verify that the Blowfish keys are not recoverable by brute‑force

Generated by OpenCVE AI on May 17, 2026 at 13:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Gitbucket
Gitbucket gitbucket
Vendors & Products Gitbucket
Gitbucket gitbucket

Sun, 17 May 2026 12:30:00 +0000

Type Values Removed Values Added
Description GitBucket 4.23.1 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands by exploiting weak secret token generation and insecure file upload functionality. Attackers can brute-force the Blowfish encryption key, upload a malicious JAR plugin via the git-lfs endpoint, and execute system commands through an exposed exploit endpoint.
Title GitBucket 4.23.1 Unauthenticated Remote Code Execution
First Time appeared Jenkins
Jenkins gitbucket
Weaknesses CWE-306
CPEs cpe:2.3:a:jenkins:gitbucket:4.23.1:*:*:*:*:*:*:*
Vendors & Products Jenkins
Jenkins gitbucket
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Gitbucket Gitbucket
Jenkins Gitbucket
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-17T12:11:36.911Z

Reserved: 2026-05-17T11:48:33.456Z

Link: CVE-2018-25332

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-17T13:16:44.840

Modified: 2026-05-17T13:16:44.840

Link: CVE-2018-25332

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T16:59:58Z

Weaknesses