Skip to main content

Pentaho Data Integration CVE-2026-2255

| EUVDEUVD-2026-32046 MEDIUM
Insufficiently Protected Credentials (CWE-522)
2026-05-27 HITVAN GHSA-jmp2-cvfp-6gr9
4.3
CVSS 3.1 · Vendor: HITVAN
Share

Severity by source

Vendor (HITVAN) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from Vendor (HITVAN) · only source for this CVE.

CVSS VectorVendor: HITVAN

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 21:24 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD

DescriptionCVE.org

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Although the user should not see those explicitly, the defect is mitigated by the fact the user can already leverage those credentials to submit jobs under the same account through the backend API.

AnalysisAI

Plaintext credential exposure in Hitachi Vantara Pentaho Data Integration & Analytics allows authenticated network users to retrieve Hadoop cluster credentials via the Cluster Test API response. Affected versions span the 8.3.x, 9.3.x, and 10.x lines up to 10.2.0.6, as well as all pre-11.0.0.0 builds in the 11.x line. The vendor acknowledges partial self-mitigation: because the Cluster Test API is only accessible to users who already hold sufficient privileges to submit Hadoop jobs via the backend API, the incremental credential exposure is constrained - though the plaintext disclosure still enables credential harvesting for lateral movement or offline use. No public exploit code exists and EPSS is negligible at time of analysis.

Technical ContextAI

Pentaho Data Integration & Analytics (CPE: cpe:2.3:a:hitachi_vantara:pentaho_data_integration_and_analytics:*:*:*:*:*:*:*:*) is a data orchestration and analytics platform that integrates with Hadoop-based big-data clusters for ETL workloads. The Cluster Test API is a diagnostic endpoint used to validate connectivity and configuration of configured Hadoop cluster definitions stored within the platform. The root-cause class is CWE-522 (Insufficiently Protected Credentials): the API response includes Hadoop cluster credentials in plaintext rather than omitting, masking, or encrypting them before transmission to the client. This is a presentation-layer deficiency - the credentials are necessarily stored server-side to authenticate outbound Hadoop connections, but their inclusion in the API response body is not required for the diagnostic function and represents an unnecessary disclosure surface.

RemediationAI

The vendor-released fix is available in Pentaho Data Integration & Analytics version 10.2.0.6 (for the 10.x line) and version 11.0.0.0 (for the 11.x line). Organizations should upgrade to one of these patched releases as the primary remediation action, following the vendor advisory at https://support.pentaho.com/hc/en-us/articles/45672235545101. For environments where immediate upgrade is not feasible, a practical compensating control is to restrict network-level access to the Cluster Test API endpoint to only trusted administrative roles or source IP ranges, reducing the exposure surface to only those users who genuinely require cluster diagnostics. Additionally, rotating Hadoop cluster credentials registered within Pentaho and enforcing credential uniqueness (so Pentaho-stored credentials are not reused for direct cluster access by individuals) limits the utility of any credentials already disclosed. Note that the vendor's partial mitigation argument holds only if Pentaho role-based access controls are correctly scoped - environments with overly permissive role assignments should treat the risk as higher than the CVSS score suggests.

Share

CVE-2026-2255 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy