Description
Jenkins LoadNinja Plugin 2.1 and earlier does not mask LoadNinja API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
Published: 2026-03-18
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

The Jenkins LoadNinja Plugin 2.1 and older displays LoadNinja API keys in plaintext on the job configuration form, allowing anyone who can view the form to see and capture these keys. This results in a clear breach of confidentiality, enabling attackers to potentially use the keys to access or manipulate downstream services. The vulnerability is identified as CWE‑200.

Affected Systems

The vulnerability affects installations of the Jenkins LoadNinja Plugin version 2.1 and earlier, distributed by the Jenkins Project.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium severity impact, while an EPSS below 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires authenticated access to the Jenkins web interface with ability to view or modify job configuration, after which an attacker can read the exposed API key.

Generated by OpenCVE AI on March 21, 2026 at 07:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Jenkins LoadNinja Plugin to version 2.2 or newer.
  • If an update is not immediately possible, restrict user access to the job configuration pages to trusted users only so that only authorized personnel can view the API key field.
  • Consider configuring your Jenkins instance to store credentials in the Jenkins Credentials Store or a secrets management system, thereby preventing them from appearing in configuration forms.

Generated by OpenCVE AI on March 21, 2026 at 07:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p9hg-wrmv-v8cp Jenkins LoadNinja Plugin does not mask LoadNinja API keys displayed on the job configuration form
History

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Title LoadNinja API Keys Unmasked in Jenkins LoadNinja Plugin

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins
Jenkins loadninja
CPEs cpe:2.3:a:jenkins:loadninja:*:*:*:*:*:jenkins:*:*
Vendors & Products Jenkins
Jenkins loadninja

Thu, 19 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins Loadninja Plugin
Vendors & Products Jenkins Project
Jenkins Project jenkins Loadninja Plugin

Wed, 18 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Jenkins LoadNinja Plugin 2.1 and earlier does not mask LoadNinja API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
References

Subscriptions

Jenkins Loadninja
Jenkins Project Jenkins Loadninja Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-03-19T14:49:13.430Z

Reserved: 2026-03-17T15:04:07.616Z

Link: CVE-2026-33004

cve-icon Vulnrichment

Updated: 2026-03-19T14:49:05.645Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T16:16:28.457

Modified: 2026-03-21T00:17:45.933

Link: CVE-2026-33004

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:58:40Z

Weaknesses