Description
Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Published: 2026-03-18
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized exposure of LoadNinja API keys
Action: Patch
AI Analysis

Impact

The LoadNinja Plugin for Jenkins stores API keys in job configuration files without encryption. Anyone who views the config.xml, either directly through the web UI with Item/Extended Read rights or via filesystem access on the Jenkins controller, gains read access to these secrets. This flaw allows the compromise of confidentiality, potentially enabling attackers to misuse the LoadNinja service or access protected resources.

Affected Systems

All Jenkins installations running LoadNinja Plugin 2.1 or earlier are affected. The vulnerability is present in the Jenkins Project’s LoadNinja Plugin, as listed by the CNA. Updates or newer plugin versions should be checked for remediation.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while an EPSS below 1% implies low immediate exploitation likelihood. The issue is not listed in the CISA KEV catalog. Exploitation requires either web UI access with Item/Extended Read permission or direct file system access on the control plane, so it is largely limited to insiders or privileged users. Nonetheless, the exposure of API credentials is a significant risk to confidentiality.

Generated by OpenCVE AI on March 21, 2026 at 07:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update LoadNinja Plugin to version 2.2 or later if available.
  • If a patch is not yet released, remove or redeploy plugin in a way that forces configuration regeneration to clear unencrypted keys.
  • Restrict Item/Extended Read permissions to only trusted users to prevent unauthorized viewing of job configurations.
  • Limit filesystem access to the Jenkins controller so that only system administrators can read "config.xml" files.
  • Consider configuring Jenkins to store credentials in the built‑in credential store instead of plain config files.

Generated by OpenCVE AI on March 21, 2026 at 07:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qqjr-hf5h-jx3q Jenkins LoadNinja Plugin stores LoadNinja API keys unencrypted in job config.xml files
History

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins
Jenkins loadninja
CPEs cpe:2.3:a:jenkins:loadninja:*:*:*:*:*:jenkins:*:*
Vendors & Products Jenkins
Jenkins loadninja

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins Loadninja Plugin
Vendors & Products Jenkins Project
Jenkins Project jenkins Loadninja Plugin

Wed, 18 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-312
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
References

Subscriptions

Jenkins Loadninja
Jenkins Project Jenkins Loadninja Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-03-18T15:55:13.735Z

Reserved: 2026-03-17T15:04:07.616Z

Link: CVE-2026-33003

cve-icon Vulnrichment

Updated: 2026-03-18T15:54:11.498Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T16:16:28.290

Modified: 2026-03-21T00:18:27.543

Link: CVE-2026-33003

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:58:41Z

Weaknesses