Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
AnalysisAI
The Jenkins LoadNinja Plugin versions 2.1 and earlier stores LoadNinja API keys in plaintext within job configuration files (config.xml) on the Jenkins controller, allowing unauthorized disclosure of sensitive credentials. Users with Item/Extended Read permission on Jenkins jobs or direct file system access to the controller can extract these API keys, potentially leading to account compromise and unauthorized access to LoadNinja services. This is a straightforward credential exposure vulnerability with no complexity barriers to exploitation once access is gained.
Technical ContextAI
The Jenkins LoadNinja Plugin (CPE: cpe:2.3:a:jenkins_project:jenkins_loadninja_plugin:*:*:*:*:*:*:*:*) integrates LoadNinja load-testing services with Jenkins CI/CD pipelines. The vulnerability stems from improper credential handling at the root cause level—storing authentication tokens without encryption in configuration files. This represents a CWE-312 class flaw (Cleartext Storage of Sensitive Information) and CWE-522 class issue (Insufficiently Protected Credentials). Jenkins stores job configurations as XML files on the controller file system; the plugin fails to leverage Jenkins' built-in credential encryption mechanisms (which use the Jenkins master key to encrypt sensitive data). When API keys are stored as plaintext in config.xml, any process or user with read access to the Jenkins controller directory structure can retrieve them without additional authentication or decryption steps.
RemediationAI
Upgrade the Jenkins LoadNinja Plugin to a version newer than 2.1, which implements encrypted storage of API credentials using Jenkins' credential management system. Consult the Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3642 for the exact patched version number and upgrade procedures. As an interim measure prior to patching, restrict Item/Extended Read permissions on Jenkins jobs containing LoadNinja credentials to only trusted administrators, and audit file system access to the Jenkins controller directory to prevent unauthorized credential extraction. Additionally, rotate any LoadNinja API keys that may have been exposed, and enable Jenkins audit logging to detect suspicious credential access attempts.
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to ex
The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive j
The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/
A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins
A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/
A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/
Same weakness CWE-312 – Cleartext Storage of Sensitive Information
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12847
GHSA-qqjr-hf5h-jx3q