Skip to main content

Pentaho Data Integration & Analytics CVE-2025-11159

| EUVDEUVD-2025-209821 CRITICAL
Dependency on Vulnerable Third-Party Component (CWE-1395)
2026-05-13 HITVAN GHSA-625c-v6wq-2rq5
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 13, 2026 - 07:01 EUVD
Analysis Generated
May 13, 2026 - 06:30 vuln.today
CVE Published
May 13, 2026 - 05:36 nvd
CRITICAL 9.1

DescriptionCVE.org

Hitachi Vantara Pentaho Data Integration & Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a data source administrator.

AnalysisAI

Remote code execution in Pentaho Data Integration & Analytics affects all versions through vulnerable H2 database JDBC driver. Authenticated data source administrators can execute arbitrary external scripts during database connection creation, achieving complete system compromise with potential container escape (CVSS scope changed). EPSS data not provided; no CISA KEV listing identified at time of analysis. Vendor advisory indicates patches available in versions 10.2.0.7 and 11.0.0.0.

Technical ContextAI

This vulnerability exploits the H2 database JDBC driver bundled with Pentaho Data Integration & Analytics. CWE-1395 classifies this as a dependency on vulnerable third-party component. H2 is an embedded Java SQL database commonly used for data integration workflows. Historical H2 JDBC vulnerabilities have enabled remote code execution through malicious JDBC connection strings containing embedded JavaScript, SQL, or system commands executed during connection initialization. When data source administrators create new database connections in Pentaho, specially crafted H2 JDBC URLs can trigger external script execution in the context of the application server process. The CVSS scope changed metric indicates the vulnerability can affect resources beyond the vulnerable component's security scope, suggesting potential for container escape or lateral movement in containerized deployments common with Pentaho platforms.

RemediationAI

Upgrade immediately to Pentaho Data Integration & Analytics version 10.2.0.7 (for 10.x deployments) or 11.0.0.0 (for 11.x or new deployments) per vendor advisory at https://support.pentaho.com/hc/en-us/articles/39954640408077. Test upgrades in non-production environments first as major version transitions may introduce compatibility issues with existing data integration workflows, custom plugins, or third-party connectors. If immediate patching is not feasible, implement compensating controls: restrict data source administrator role assignments to minimum necessary personnel with strong multi-factor authentication enforcement; enable comprehensive audit logging of all data source creation and modification activities with alerting on suspicious JDBC URL patterns containing INIT, SCRIPT, or command execution syntax; apply network segmentation to isolate Pentaho instances from sensitive internal networks and databases; disable or remove H2 database connectivity if not operationally required and alternative JDBC drivers (PostgreSQL, MySQL, Oracle) can satisfy use cases. Note that restricting admin access reduces attack surface but does not eliminate vulnerability if those accounts are compromised. Blocking outbound network connections from Pentaho application servers may limit external script retrieval but will not prevent local script execution payloads.

Share

CVE-2025-11159 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy