This was already mentioned in JENKINS-75440, but since it's a separate issue from the URL I assumed it's better to create it's own ticket for it. In 935.1.3 the avatar URL was fixed, but an Organization Folder that does not have anonymous read permissions still fails to load the avatar.

In the logs I see:

jenkins-controller-1  | 2025-04-28T16:13:38.857333574Z 2025-04-28 16:13:38.856+0000 [id=302]    WARNING c.c.j.p.b.i.a.BitbucketAvatarImageSource#fetch: Item XYZ seems to be relocated, perform a Scan project Now action to refresh old data 

After digging into a bit I found that this is thrown in the fetch() method in BitbucketAvatarImageSource.

I added some logging and built the plugin locally, and from that I saw that Jenkins.get().getItemByFullName(scmOwner, SCMNavigatorOwner.class) returns null.
 
If I use the Script Console to call that method it works, so it looks like Jenkins.get() in the context of returns BitbucketAvatarImageSource an instance that only has public/anonymous access. Even though I am logged in as an administrator user.
 
To reproduce set the following Jenkins configuration in Manage Jenkins > Security:

1. Security Realm: Jenkins' own user database
2. Authorization: Logged-in users can do anything
3. Authorization: Disable Allow anonymous read acces

Now create an organization folder with the Show Bitbucket avatar images trait and the avatar is not loaded, it displays a random generated avatar just like when there is no project avatar.

If I enable anonymous read access and recreate the organization folder the avatar is fetched and shown as expected.

This has been broken after 934.4.2, if I downgrade to that version the avatar is displayed as expected, even with anonymous access disabled.