CVE-2026-33004

Vulnerability

Description

The Jenkins LoadNinja Plugin versions 2.1 and earlier fails to mask the LoadNinja API key when it is displayed on the job configuration form. The plugin allows users to specify an API key for integration with the LoadNinja cloud-based load testing platform. When the key is entered, the field is shown in plaintext instead of using a password-style mask (e.g., obscured characters), making the credential visible to anyone who can view the job configuration. This is a classic information disclosure issue due to missing field masking. [1][2]

Exploitation

Context

An attacker with read access to a job's configuration—such as users with Job/Configure permission or those able to view job settings through other means—can directly observe the exposed API key. No special privileges beyond the ability to navigate to the configuration page are required to exploit this weakness. The key is visible in the Jenkins web UI without any obfuscation. [1][3]

Impact

A LoadNinja API key is a sensitive credential that provides programmatic access to the LoadNinja platform. An attacker in possession of this key could potentially use it to interact with LoadNinja on behalf of the victim, including launching load tests, accessing test results, or modifying settings. This may lead to unauthorized resource consumption, data exposure, or service disruption, depending on the permissions associated with the API key. [1][3]

Mitigation

Users should upgrade to a fixed version of the Jenkins LoadNinja Plugin once it becomes available. As of the advisory publication date, plugin versions 2.1 and earlier are affected, and no patch has been announced in the provided references. Users are advised to restrict job configuration access to trusted personnel only and monitor for plugin updates on the Jenkins update center. [1][2]