CVE-2026-2254
Received Received - Intake
Access Control Bypass in Hitachi Vantara Pentaho

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: Hitachi Vantara

Description
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notfications.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-05-27
AI Q&A
2026-05-27
EPSS Evaluated
N/A
NVD
CVE-2026-2254
EUVD
EUVD-2026-32045
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
hitachi_vantara pentaho_data_integration_and_analytics to 10.2.0.6 (exc)
hitachi_vantara pentaho_data_integration_and_analytics 9.3.*
hitachi_vantara pentaho_data_integration_and_analytics 8.3.*
hitachi_vantara pentaho_data_integration_and_analytics to 11.0.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including versions 9.3.x and 8.3.x. It occurs because Access Control Lists (ACLs) are not applied on certain API endpoints related to platform mail notifications.


How can this vulnerability impact me? :

Because ACLs are not enforced on specific API endpoints, unauthorized users with some level of privileges might be able to access or manipulate platform mail notification functions. This can lead to information disclosure, integrity issues, or availability problems related to the mail notification system.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart