CVE-2026-2254

MEDIUM

Hitachi Vantara Pentaho Data Integration & Analytics - Incorrect Permission Assignment for Critical Resource

Title source: cna

Description

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notfications.

References (1)

Core 1

Core References

https://support.pentaho.com/hc/en-us/articles/45676384909069--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Incorrect-Permission-Assignment-for-Critical-Resource-Versions-before-10-2-0-6-and-11-0-0-0-Impacted-CVE-2026-2254?brand_id=1928686

Scores

CVSS v3 6.3

EPSS 0.0004

EPSS Percentile 11.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-732

Status published

Products (2)

Hitachi Vantara/Pentaho Data Integration and Analytics 1.0 - 10.2.0.6

Hitachi Vantara/Pentaho Data Integration and Analytics 10.0 - 11.0.0.0

Published May 27, 2026

Tracked Since May 27, 2026