CVE-2026-33003
Description
Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins LoadNinja Plugin stores API keys unencrypted in job config.xml, exposing them to users with read permissions or file system access.
# Vulnerability Overview
The Jenkins LoadNinja Plugin versions 2.1 and earlier stores LoadNinja API keys in plaintext within job config.xml files on the Jenkins controller [1]. This failure to encrypt sensitive credentials at rest violates security best practices and allows any user who can read those configuration files to obtain the API keys.
# Attack Surface
Attackers can exploit this vulnerability through two primary vectors. Users with Item/Extended Read permission on a job can view the config.xml via the Jenkins web interface [1]. Additionally, any user with access to the Jenkins controller's file system can read the config.xml files directly [1]. No authentication to the LoadNinja service is required beyond the exposed API key itself.
# Impact
The impact is the unauthorized exposure of LoadNinja API keys, which can be used to access the LoadNinja platform and perform actions such as executing load tests, viewing test results, or managing the account linked to the key [3]. This could lead to resource abuse, data exposure, or further compromise of the LoadNinja service.
# Mitigation
As of the publication date, the vulnerability affects plugin version 2.1 and earlier. Users should monitor the Jenkins project for a patched version that encrypts stored API keys. In the meantime, restricting access to job configurations and the controller file system can reduce risk.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:loadninjaMaven | < 2.2 | 2.2 |
Affected products
2- Range: <=2.1
- Jenkins Project/Jenkins LoadNinja Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-qqjr-hf5h-jx3qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33003ghsaADVISORY
- www.jenkins.io/security/advisory/2026-03-18/ghsavendor-advisoryWEB
News mentions
1- Jenkins Security Advisory 2026-03-18Jenkins Security Advisories · Mar 18, 2026