CVE-2026-2254
Awaiting Analysis Awaiting Analysis - Queue
Access Control Bypass in Hitachi Vantara Pentaho

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: Hitachi Vantara

Description
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notfications.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2254
EUVD
EUVD-2026-32045
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
hitachi_vantara pentaho_data_integration_and_analytics to 10.2.0.6 (exc)
hitachi_vantara pentaho_data_integration_and_analytics 9.3.*
hitachi_vantara pentaho_data_integration_and_analytics 8.3.*
hitachi_vantara pentaho_data_integration_and_analytics to 11.0.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including versions 9.3.x and 8.3.x. It occurs because Access Control Lists (ACLs) are not applied on certain API endpoints related to platform mail notifications.

Impact Analysis

Because ACLs are not enforced on specific API endpoints, unauthorized users with some level of privileges might be able to access or manipulate platform mail notification functions. This can lead to information disclosure, integrity issues, or availability problems related to the mail notification system.

Compliance Impact

CVE-2026-2254 involves incorrect permission assignment on API endpoints related to platform mail notifications, allowing unauthorized actors to read or modify email configurations. This unauthorized access could lead to exposure or manipulation of sensitive information handled via email notifications.

Such unauthorized access and potential data manipulation may impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data to ensure confidentiality and integrity.

Mitigating this vulnerability by upgrading to the fixed software versions helps maintain compliance by enforcing proper access controls and preventing unauthorized data access or modification.

Mitigation Strategies

The recommended mitigation is to upgrade to the latest release or service pack of Hitachi Vantara Pentaho Data Integration & Analytics where this vulnerability is addressed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2254. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart