CVE-2026-2253
Awaiting Analysis Awaiting Analysis - Queue
XML External Entity Injection in Hitachi Vantara Pentaho Data Integration

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: Hitachi Vantara

Description
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2253
EUVD
EUVD-2026-32047
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
hitachi_vantara pentaho_data_integration_and_analytics to 10.2.0.7 (exc)
hitachi_vantara pentaho_data_integration_and_analytics From 9.3.0 (inc) to 10.2.0.7 (exc)
hitachi_vantara pentaho_data_integration_and_analytics From 8.3.0 (inc) to 10.2.0.7 (exc)
hitachi_vantara pentaho_data_integration_and_analytics to 11.0.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including versions 9.3.x and 8.3.x. It involves certain XML parsers that do not prevent the resolution of external entities, which can lead to security issues.

Compliance Impact

CVE-2026-2253 involves improper restriction of XML External Entity (XXE) references, which can allow an attacker to cause the application to make unauthorized external HTTP requests. This behavior can potentially lead to data exposure or unauthorized data access.

Such vulnerabilities may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized data disclosure. Exploitation of this vulnerability could undermine these requirements by enabling data leakage or bypassing security controls.

To maintain compliance, it is recommended to upgrade to the fixed versions of the software where this vulnerability is addressed.

Detection Guidance

This vulnerability involves the improper restriction of XML External Entity (XXE) references, where the application processes XML documents containing external entity URIs that cause outgoing HTTP requests.

Detection on your network or system can involve monitoring for unusual outgoing HTTP requests initiated by the Pentaho Data Integration & Analytics application, especially those triggered by XML processing.

You can use network monitoring tools or commands to detect such behavior, for example:

  • Use tcpdump or Wireshark to capture outgoing HTTP requests from the server running Pentaho.
  • Example tcpdump command: tcpdump -i <interface> host <pentaho_server_ip> and tcp port 80 or 443
  • Check application logs for XML processing errors or unexpected external entity resolution attempts.
  • Use tools like grep to search for XML files or logs containing DOCTYPE declarations or external entity references.
Mitigation Strategies

The recommended immediate mitigation step is to upgrade Hitachi Vantara Pentaho Data Integration & Analytics to the latest release or service pack where this vulnerability is fixed.

Until the upgrade can be performed, consider restricting the application’s ability to make outgoing HTTP requests to untrusted external entities by applying network-level controls such as firewall rules.

Additionally, review and harden XML parser configurations to disable external entity resolution if possible.

Impact Analysis

The vulnerability has a CVSS v3.1 base score of 7.7, indicating a high severity. It allows an attacker with low privileges and no user interaction to exploit the system remotely over the network. The impact is primarily on confidentiality, potentially allowing unauthorized access to sensitive data through the resolution of external XML entities.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2253. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart