Skip to main content

Jenkins CVE-2026-33004

| EUVDEUVD-2026-12849 MEDIUM
Information Exposure (CWE-200)
2026-03-18 jenkins GHSA-p9hg-wrmv-v8cp
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 15:45 euvd
EUVD-2026-12849
Analysis Generated
Mar 18, 2026 - 15:45 vuln.today
CVE Published
Mar 18, 2026 - 15:15 nvd
MEDIUM 4.3

DescriptionCVE.org

Jenkins LoadNinja Plugin 2.1 and earlier does not mask LoadNinja API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

AnalysisAI

The Jenkins LoadNinja Plugin version 2.1 and earlier fails to mask LoadNinja API keys displayed on the job configuration form, allowing attackers with access to the Jenkins web interface to observe and capture sensitive credentials. This information disclosure vulnerability affects Jenkins administrators and users with job configuration visibility, enabling credential theft that could lead to unauthorized access to LoadNinja services and associated testing infrastructure. No CVSS score, EPSS data, or active exploitation status (KEV listing) is currently available in public sources.

Technical ContextAI

The LoadNinja Plugin (CPE: cpe:2.3:a:jenkins_project:jenkins_loadninja_plugin:*:*:*:*:*:*:*:*) integrates LoadNinja cloud-based load testing services into Jenkins CI/CD pipelines by storing and displaying API credentials on job configuration pages. The vulnerability is rooted in a failure to implement password masking controls—a standard security practice where sensitive input fields are rendered as masked text (using HTML input type='password' or equivalent obfuscation) rather than plaintext. This falls under CWE-200 (Information Exposure) and more specifically relates to insufficient output encoding and field masking controls. The plugin stores LoadNinja API keys without encrypting their display representation, making them readable to any user who can access the job configuration page via the Jenkins web UI.

RemediationAI

Upgrade the Jenkins LoadNinja Plugin to a version greater than 2.1 immediately by accessing Jenkins' Plugin Manager (Manage Jenkins > Plugin Manager) and updating to the patched release published after the 2026-03-18 advisory (see https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3642 for exact version numbers). If immediate patching is not possible, restrict access to job configuration pages to a minimal set of trusted administrators using Jenkins' role-based access control (RBAC) via the Role Strategy Plugin or matrix-based security features, and audit CloudBees credentials vault to identify any LoadNinja API keys that may have been exposed; rotate those keys in the LoadNinja service immediately. Additionally, monitor LoadNinja account activity logs for unauthorized access attempts and enable multi-factor authentication on LoadNinja accounts to reduce post-compromise impact.

CVE-2015-8103 CRITICAL POC
9.8 Nov 25

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co

CVE-2016-9299 CRITICAL POC
9.8 Jan 12

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a

CVE-2016-0792 HIGH POC
8.8 Apr 07

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to ex

CVE-2015-5317 HIGH
7.5 Nov 25

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive j

CVE-2016-0788 CRITICAL
9.8 Apr 07

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by

CVE-2019-1003029 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/

CVE-2018-1000861 CRITICAL POC
9.8 Dec 10

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea

CVE-2019-1003005 HIGH POC
8.8 Feb 06

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/

CVE-2019-1003002 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.

CVE-2019-1003001 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins

CVE-2019-1003000 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/

CVE-2019-1003030 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/

Share

CVE-2026-33004 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy