Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from Vendor (HITVAN) · only source for this CVE.
CVSS VectorVendor: HITVAN
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notfications.
AnalysisAI
Missing ACL enforcement on Hitachi Vantara Pentaho Data Integration & Analytics API endpoints allows authenticated low-privileged users to interact with platform mail notification resources without authorization. Affected versions span the 8.3.x, 9.3.x, and pre-10.2.0.6/11.0.0.0 release lines. An attacker with a valid low-privilege account can read, modify, or disrupt mail notification configurations, resulting in limited confidentiality, integrity, and availability impact. No public exploit code exists and no active exploitation has been identified at time of analysis.
Technical ContextAI
Pentaho Data Integration & Analytics is an enterprise ETL and business analytics platform by Hitachi Vantara. The vulnerability is rooted in CWE-732 (Incorrect Permission Assignment for Critical Resource): the application exposes internal API endpoints governing platform mail notification settings but fails to apply access control lists (ACLs) to those endpoints. Under normal design, ACL enforcement gates which roles or users may invoke platform management APIs; the absence of this check on the mail notification subsystem means the platform's authorization model is incomplete for that resource class. The affected product is confirmed via CPE cpe:2.3:a:hitachi_vantara:pentaho_data_integration_and_analytics:*:*:*:*:*:*:*:* and the issue is classified under the 'Information Disclosure' tag, though the CVSS integrity and availability impact components indicate broader consequences beyond read-only exposure.
RemediationAI
The primary fix is to upgrade Pentaho Data Integration & Analytics to version 10.2.0.6 or later for the 10.x branch, or to version 11.0.0.0 or later for the 11.x branch. The vendor-released patch is documented at https://support.pentaho.com/hc/en-us/articles/45676384909069. For environments where immediate upgrading is not feasible, administrators should consider restricting network-level access to the Pentaho server to trusted internal networks or VPN-only paths, which raises the effective attack complexity for any low-privilege account holder who is not already on the internal network. Additionally, auditing current user account permissions to minimize the number of accounts holding any authenticated access to the platform reduces the pool of potential abusers. These are compensating controls only and do not fix the underlying ACL absence; upgrading remains the authoritative remediation.
Remote code execution in Pentaho Data Integration & Analytics affects all versions through vulnerable H2 database JDBC d
Hitachi Vantara Pentaho Data Integration & Analytics versions before 9.5.0.1 and 9.3.0.5, including 8.3.x does not restr
External XML entity resolution in Hitachi Vantara Pentaho Data Integration & Analytics lets an authenticated, low-privil
Plaintext credential exposure in Hitachi Vantara Pentaho Data Integration & Analytics allows authenticated network users
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32045
GHSA-phv5-4967-vww3