Description
A cross-site request forgery (CSRF) vulnerability in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers to have Jenkins connect to an attacker-specified URL using an attacker-specified username, API key, and service key.
Published: 2026-06-24
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site request forgery vulnerability (CWE‑352) in the Jenkins Contrast Continuous Application Security Plugin allows an attacker to force Jenkins to connect to a URL chosen by the attacker, using credentials supplied by the attacker. This could enable the attacker to obtain access tokens, privileged API keys, or other secrets, and to initiate unauthorized connections to internal or external services without the user’s explicit consent. The impact is the potential for credential theft and illicit remote activity originating from the Jenkins server, thereby compromising the confidentiality and integrity of the infrastructure it services.

Affected Systems

The flaw exists in the Jenkins Contrast Continuous Application Security Plugin version 3.11 and earlier. The plugin is distributed by the Jenkins Project and is used to integrate Contrast’s application security analysis into Jenkins jobs.

Risk and Exploitability

The CVSS score is 5.4, EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not currently known to be widely exploited. The attack requires a user to be authenticated to the Jenkins instance; once CSRF is achieved, the attacker can supply arbitrary connection parameters. The risk is considered moderate owing to the CVSS rating, though the potential for credential compromise and unauthorized remote connections remains significant.

Generated by OpenCVE AI on June 24, 2026 at 18:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Contrast Continuous Application Security Plugin version 3.12 or later, if available.
  • Disable or uninstall the Contrast plugin when it is not required for your workflow.
  • Enable Jenkins’ CSRF protection by configuring the global configuration under “Configure Global Security.”
  • Restrict outbound network traffic from the Jenkins server to trusted hosts using firewall rules or network segmentation.

Generated by OpenCVE AI on June 24, 2026 at 18:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Title Cross‑Site Request Forgery in Jenkins Contrast Plugin Allows Arbitrary Remote Connections

Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title Cross‑Site Request Forgery in Jenkins Contrast Plugin Allows Arbitrary Remote Connections
Weaknesses CWE-352

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description A cross-site request forgery (CSRF) vulnerability in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers to have Jenkins connect to an attacker-specified URL using an attacker-specified username, API key, and service key.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-24T15:12:29.222Z

Reserved: 2026-06-24T08:41:44.358Z

Link: CVE-2026-57298

cve-icon Vulnrichment

Updated: 2026-06-24T15:09:09.120Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T18:45:05Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)