Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Jenkins LoadNinja Plugin 2.1 and earlier does not mask LoadNinja API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
AnalysisAI
The Jenkins LoadNinja Plugin version 2.1 and earlier fails to mask LoadNinja API keys displayed on the job configuration form, allowing attackers with access to the Jenkins web interface to observe and capture sensitive credentials. This information disclosure vulnerability affects Jenkins administrators and users with job configuration visibility, enabling credential theft that could lead to unauthorized access to LoadNinja services and associated testing infrastructure. No CVSS score, EPSS data, or active exploitation status (KEV listing) is currently available in public sources.
Technical ContextAI
The LoadNinja Plugin (CPE: cpe:2.3:a:jenkins_project:jenkins_loadninja_plugin:*:*:*:*:*:*:*:*) integrates LoadNinja cloud-based load testing services into Jenkins CI/CD pipelines by storing and displaying API credentials on job configuration pages. The vulnerability is rooted in a failure to implement password masking controls—a standard security practice where sensitive input fields are rendered as masked text (using HTML input type='password' or equivalent obfuscation) rather than plaintext. This falls under CWE-200 (Information Exposure) and more specifically relates to insufficient output encoding and field masking controls. The plugin stores LoadNinja API keys without encrypting their display representation, making them readable to any user who can access the job configuration page via the Jenkins web UI.
RemediationAI
Upgrade the Jenkins LoadNinja Plugin to a version greater than 2.1 immediately by accessing Jenkins' Plugin Manager (Manage Jenkins > Plugin Manager) and updating to the patched release published after the 2026-03-18 advisory (see https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3642 for exact version numbers). If immediate patching is not possible, restrict access to job configuration pages to a minimal set of trusted administrators using Jenkins' role-based access control (RBAC) via the Role Strategy Plugin or matrix-based security features, and audit CloudBees credentials vault to identify any LoadNinja API keys that may have been exposed; rotate those keys in the LoadNinja service immediately. Additionally, monitor LoadNinja account activity logs for unauthorized access attempts and enable multi-factor authentication on LoadNinja accounts to reduce post-compromise impact.
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to ex
The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive j
The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/
A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins
A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/
A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12849
GHSA-p9hg-wrmv-v8cp