CVE-2026-33003PATCHED

jenkins · loadninja

Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or

Description

Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Affected Products

Vendor	Product	Versions
jenkins	loadninja	< 2.2

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
jenkins	jenkins	cert_advisory	90%
red hat	red hat enterprise linux	cert_advisory	90%

References

https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3642(Vendor Advisory)

Related News (1 articles)

Tier B

BSI Advisories33d ago

[UPDATE] [hoch] Jenkins: Mehrere Schwachstellen

→ No new info (linked only)

CVSS 3.14.3 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

2.2

CWECWE-312

PublishedMar 18, 2026

Last enriched56d ago

Trending Score1

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

PRE-CVE

Multiple Vulnerabilities in Jenkins Plugins

Trending: 20

HIGHCVE-2026-42524EXP

CVE-2026-42524: Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in

Trending: 1

CRITICALCVE-2026-42523EXP

CVE-2026-42523: Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing val

Trending: 1

HIGHCVE-2026-33002

Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected

Trending: 1

HIGHCVE-2026-42520EXP

CVE-2026-42520: Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file cre

Trending: 1

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Mar 18, 2026

Patch Available

Mar 21, 2026

Discovered by ZDM

Apr 1, 2026