What is the CVSS score of CVE-2026-2254?

CVE-2026-2254 has a CVSS 3.1 base score of 6.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-2254?

Yes, a patch is available for CVE-2026-2254. Update the affected software to the latest version immediately.

Pentaho Data Integration CVE-2026-2254

EUVD-2026-32045 MEDIUM

Incorrect Permission Assignment for Critical Resource (CWE-732)

2026-05-27 HITVAN

GHSA-phv5-4967-vww3

Information Disclosure Pentaho Data Integration And Analytics

6.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

May 27, 2026 - 21:24 vuln.today

Patch available

May 27, 2026 - 19:46 EUVD

DescriptionNVD

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notfications.

AnalysisAI

Missing ACL enforcement on Hitachi Vantara Pentaho Data Integration & Analytics API endpoints allows authenticated low-privileged users to interact with platform mail notification resources without authorization. Affected versions span the 8.3.x, 9.3.x, and pre-10.2.0.6/11.0.0.0 release lines. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-2254 vulnerability details – vuln.today

Back