CVE-2026-33003
Unencrypted API Key Exposure in Jenkins LoadNinja Plugin
Publication date: 2026-03-18
Last updated on: 2026-03-21
Assigner: Jenkins Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jenkins | loadninja | to 2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-312 | The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Jenkins LoadNinja Plugin version 2.1 and earlier stores LoadNinja API keys unencrypted in the job config.xml files on the Jenkins controller.
These API keys can be viewed by users who have Item/Extended Read permission or by anyone with access to the Jenkins controller file system.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of LoadNinja API keys.
Users with certain Jenkins permissions or access to the Jenkins controller file system could view these sensitive API keys, potentially leading to misuse or unauthorized access to LoadNinja services.
The CVSS score of 4.3 indicates a low to medium severity impact, primarily affecting confidentiality.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know