Skip to main content

Jenkins CVE-2026-33003

| EUVDEUVD-2026-12847 MEDIUM
Cleartext Storage of Sensitive Information (CWE-312)
2026-03-18 jenkins GHSA-qqjr-hf5h-jx3q
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 15:45 euvd
EUVD-2026-12847
Analysis Generated
Mar 18, 2026 - 15:45 vuln.today
CVE Published
Mar 18, 2026 - 15:15 nvd
MEDIUM 4.3

DescriptionCVE.org

Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

AnalysisAI

The Jenkins LoadNinja Plugin versions 2.1 and earlier stores LoadNinja API keys in plaintext within job configuration files (config.xml) on the Jenkins controller, allowing unauthorized disclosure of sensitive credentials. Users with Item/Extended Read permission on Jenkins jobs or direct file system access to the controller can extract these API keys, potentially leading to account compromise and unauthorized access to LoadNinja services. This is a straightforward credential exposure vulnerability with no complexity barriers to exploitation once access is gained.

Technical ContextAI

The Jenkins LoadNinja Plugin (CPE: cpe:2.3:a:jenkins_project:jenkins_loadninja_plugin:*:*:*:*:*:*:*:*) integrates LoadNinja load-testing services with Jenkins CI/CD pipelines. The vulnerability stems from improper credential handling at the root cause level—storing authentication tokens without encryption in configuration files. This represents a CWE-312 class flaw (Cleartext Storage of Sensitive Information) and CWE-522 class issue (Insufficiently Protected Credentials). Jenkins stores job configurations as XML files on the controller file system; the plugin fails to leverage Jenkins' built-in credential encryption mechanisms (which use the Jenkins master key to encrypt sensitive data). When API keys are stored as plaintext in config.xml, any process or user with read access to the Jenkins controller directory structure can retrieve them without additional authentication or decryption steps.

RemediationAI

Upgrade the Jenkins LoadNinja Plugin to a version newer than 2.1, which implements encrypted storage of API credentials using Jenkins' credential management system. Consult the Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3642 for the exact patched version number and upgrade procedures. As an interim measure prior to patching, restrict Item/Extended Read permissions on Jenkins jobs containing LoadNinja credentials to only trusted administrators, and audit file system access to the Jenkins controller directory to prevent unauthorized credential extraction. Additionally, rotate any LoadNinja API keys that may have been exposed, and enable Jenkins audit logging to detect suspicious credential access attempts.

CVE-2015-8103 CRITICAL POC
9.8 Nov 25

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co

CVE-2016-9299 CRITICAL POC
9.8 Jan 12

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a

CVE-2016-0792 HIGH POC
8.8 Apr 07

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to ex

CVE-2015-5317 HIGH
7.5 Nov 25

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive j

CVE-2016-0788 CRITICAL
9.8 Apr 07

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by

CVE-2019-1003029 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/

CVE-2018-1000861 CRITICAL POC
9.8 Dec 10

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea

CVE-2019-1003005 HIGH POC
8.8 Feb 06

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/

CVE-2019-1003002 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.

CVE-2019-1003001 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins

CVE-2019-1003000 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/

CVE-2019-1003030 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/

Share

CVE-2026-33003 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy