CVE-2026-48924

Vulnerability

Jenkins Bitbucket OAuth Plugin versions 0.17 and earlier do not restrict the redirect URL after a successful OAuth login. This allows an attacker to specify an arbitrary external URL as the redirect target, leveraging the legitimate Jenkins login flow for malicious purposes [1].

Exploitation

An attacker can craft a login link that, after the victim authenticates via Bitbucket OAuth, redirects the victim's browser to an attacker-controlled site. The attacker can make the victim initiate this link (e.g., via email or social engineering). No special network position or authentication is required beyond tricking a user into clicking the crafted URL [1].

Impact

Successful exploitation enables phishing attacks: the victim is redirected to a malicious site after completing a legitimate login, potentially leading to credential theft or further compromise. The attacker gains no direct access to Jenkins resources but abuses the OAuth flow to lend credibility to the phishing page [1].

Mitigation

As of the advisory publication date (2026-05-27), no fixed version has been released for the Bitbucket OAuth Plugin. Users should disable the plugin if not needed, monitor for updates, and educate users about phishing risks. The plugin is not listed on CISA's Known Exploited Vulnerabilities catalog [1].