Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from Vendor (HITVAN) · only source for this CVE.
CVSS VectorVendor: HITVAN
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Although the user should not see those explicitly, the defect is mitigated by the fact the user can already leverage those credentials to submit jobs under the same account through the backend API.
AnalysisAI
Plaintext credential exposure in Hitachi Vantara Pentaho Data Integration & Analytics allows authenticated network users to retrieve Hadoop cluster credentials via the Cluster Test API response. Affected versions span the 8.3.x, 9.3.x, and 10.x lines up to 10.2.0.6, as well as all pre-11.0.0.0 builds in the 11.x line. The vendor acknowledges partial self-mitigation: because the Cluster Test API is only accessible to users who already hold sufficient privileges to submit Hadoop jobs via the backend API, the incremental credential exposure is constrained - though the plaintext disclosure still enables credential harvesting for lateral movement or offline use. No public exploit code exists and EPSS is negligible at time of analysis.
Technical ContextAI
Pentaho Data Integration & Analytics (CPE: cpe:2.3:a:hitachi_vantara:pentaho_data_integration_and_analytics:*:*:*:*:*:*:*:*) is a data orchestration and analytics platform that integrates with Hadoop-based big-data clusters for ETL workloads. The Cluster Test API is a diagnostic endpoint used to validate connectivity and configuration of configured Hadoop cluster definitions stored within the platform. The root-cause class is CWE-522 (Insufficiently Protected Credentials): the API response includes Hadoop cluster credentials in plaintext rather than omitting, masking, or encrypting them before transmission to the client. This is a presentation-layer deficiency - the credentials are necessarily stored server-side to authenticate outbound Hadoop connections, but their inclusion in the API response body is not required for the diagnostic function and represents an unnecessary disclosure surface.
RemediationAI
The vendor-released fix is available in Pentaho Data Integration & Analytics version 10.2.0.6 (for the 10.x line) and version 11.0.0.0 (for the 11.x line). Organizations should upgrade to one of these patched releases as the primary remediation action, following the vendor advisory at https://support.pentaho.com/hc/en-us/articles/45672235545101. For environments where immediate upgrade is not feasible, a practical compensating control is to restrict network-level access to the Cluster Test API endpoint to only trusted administrative roles or source IP ranges, reducing the exposure surface to only those users who genuinely require cluster diagnostics. Additionally, rotating Hadoop cluster credentials registered within Pentaho and enforcing credential uniqueness (so Pentaho-stored credentials are not reused for direct cluster access by individuals) limits the utility of any credentials already disclosed. Note that the vendor's partial mitigation argument holds only if Pentaho role-based access controls are correctly scoped - environments with overly permissive role assignments should treat the risk as higher than the CVSS score suggests.
Remote code execution in Pentaho Data Integration & Analytics affects all versions through vulnerable H2 database JDBC d
Hitachi Vantara Pentaho Data Integration & Analytics versions before 9.5.0.1 and 9.3.0.5, including 8.3.x does not restr
External XML entity resolution in Hitachi Vantara Pentaho Data Integration & Analytics lets an authenticated, low-privil
Missing ACL enforcement on Hitachi Vantara Pentaho Data Integration & Analytics API endpoints allows authenticated low-p
Same weakness CWE-522 – Insufficiently Protected Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32046
GHSA-jmp2-cvfp-6gr9