CVE-2025-31726: 
Java vulnerability analysis and mitigation

CVE-2025-31726 affects the Jenkins Stack Hammer Plugin versions 1.0.6 and earlier. The vulnerability was discovered and disclosed on April 2, 2025, impacting the plugin's security mechanism for storing API keys. The vulnerability affects installations of Jenkins using the Stack Hammer Plugin for job configurations (Jenkins Advisory, NVD).

The vulnerability stems from the Stack Hammer Plugin storing API keys in an unencrypted format within job config.xml files on the Jenkins controller. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L. The weakness is classified as CWE-284 (Improper Access Control) (CISA-ADP).

The vulnerability exposes Stack Hammer API keys to unauthorized access. Users with Extended Read permission or those who have access to the Jenkins controller file system can view these unencrypted API keys, potentially compromising the security of associated services and systems (Jenkins Advisory).

As of the advisory's publication date, no fix is available for the Stack Hammer Plugin. Organizations using affected versions should implement strict access controls to both the Jenkins controller file system and Extended Read permissions to minimize the risk of unauthorized access to the API keys (Jenkins Advisory).