Skip to main content

Talend Administration Center EUVDEUVD-2026-31061

| CVE-2026-9057 HIGH
2026-05-20 Bugcrowd GHSA-vg5m-3g3f-898p
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 05:15 vuln.today

DescriptionCVE.org

A broken access control issue has been identified in the Talend Administration Center, that allows a user with “View” permission to modify the Talend Studio update URL. This issue was resolved in a patch, which is already available.

AnalysisAI

Privilege escalation via broken access control in Talend Administration Center allows a low-privileged user holding only 'View' permission to modify the Talend Studio update URL, redirecting downstream Studio clients to attacker-controlled update endpoints. The flaw has a CVSS 8.2 rating reflecting changed scope and high confidentiality/integrity impact, and no public exploit identified at time of analysis. A vendor patch is available per the Qlik/Talend support advisory.

Technical ContextAI

Talend Administration Center (TAC) is the centralized web-based management console for the Talend data-integration platform, used to govern users, projects, job execution, and Studio client configuration including the update server URL that Talend Studio installations consult for software updates. The underlying weakness is a missing or insufficient authorization check on the update-URL configuration endpoint, a classic broken access control issue (CWE-284 / CWE-285 family, although CWE is unspecified in the input). Because the update URL is consumed by all connected Studio clients, the misconfigured permission boundary on a single administrative setting yields cross-component impact, which is why the CVSS scope is marked Changed.

RemediationAI

Patch available per vendor advisory - apply the fix documented in the Qlik/Talend support article at https://community.qlik.com/t5/Official-Support-Articles/Security-fix-for-Qlik-Talend-Administration-Center-URL-access/ta-p/2548524, which is the authoritative source for the exact patched version mapping to your TAC release. As a compensating control until patching, audit and tighten user role assignments to remove 'View' permission from accounts that do not require it and review the configured Talend Studio update URL to confirm it points to a trusted vendor endpoint; note that restricting 'View' permission may impair legitimate monitoring users, so coordinate with operations. Additionally, restrict network access to the TAC web console to a trusted administrative network segment, which reduces exposure but does not eliminate the issue for internal attackers.

Share

EUVD-2026-31061 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy