Skip to main content

Pentaho Data Integration CVE-2026-2254

| EUVDEUVD-2026-32045 MEDIUM
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-05-27 HITVAN GHSA-phv5-4967-vww3
6.3
CVSS 3.1 · Vendor: HITVAN
Share

Severity by source

Vendor (HITVAN) PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from Vendor (HITVAN) · only source for this CVE.

CVSS VectorVendor: HITVAN

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 21:24 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD

DescriptionCVE.org

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notfications.

AnalysisAI

Missing ACL enforcement on Hitachi Vantara Pentaho Data Integration & Analytics API endpoints allows authenticated low-privileged users to interact with platform mail notification resources without authorization. Affected versions span the 8.3.x, 9.3.x, and pre-10.2.0.6/11.0.0.0 release lines. An attacker with a valid low-privilege account can read, modify, or disrupt mail notification configurations, resulting in limited confidentiality, integrity, and availability impact. No public exploit code exists and no active exploitation has been identified at time of analysis.

Technical ContextAI

Pentaho Data Integration & Analytics is an enterprise ETL and business analytics platform by Hitachi Vantara. The vulnerability is rooted in CWE-732 (Incorrect Permission Assignment for Critical Resource): the application exposes internal API endpoints governing platform mail notification settings but fails to apply access control lists (ACLs) to those endpoints. Under normal design, ACL enforcement gates which roles or users may invoke platform management APIs; the absence of this check on the mail notification subsystem means the platform's authorization model is incomplete for that resource class. The affected product is confirmed via CPE cpe:2.3:a:hitachi_vantara:pentaho_data_integration_and_analytics:*:*:*:*:*:*:*:* and the issue is classified under the 'Information Disclosure' tag, though the CVSS integrity and availability impact components indicate broader consequences beyond read-only exposure.

RemediationAI

The primary fix is to upgrade Pentaho Data Integration & Analytics to version 10.2.0.6 or later for the 10.x branch, or to version 11.0.0.0 or later for the 11.x branch. The vendor-released patch is documented at https://support.pentaho.com/hc/en-us/articles/45676384909069. For environments where immediate upgrading is not feasible, administrators should consider restricting network-level access to the Pentaho server to trusted internal networks or VPN-only paths, which raises the effective attack complexity for any low-privilege account holder who is not already on the internal network. Additionally, auditing current user account permissions to minimize the number of accounts holding any authenticated access to the platform reduces the pool of potential abusers. These are compensating controls only and do not fix the underlying ACL absence; upgrading remains the authoritative remediation.

Share

CVE-2026-2254 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy