CVE-2026-2254
Analyzed Analyzed - Analysis Complete

Access Control Bypass in Hitachi Vantara Pentaho

Vulnerability report for CVE-2026-2254, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-27

Last updated on: 2026-06-18

Assigner: Hitachi Vantara

Description

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notfications.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-27
Last Modified
2026-06-18
Generated
2026-07-06
AI Q&A
2026-05-27
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
hitachi vantara_pentaho_data_integration_and_analytics to 10.2.0.7 (exc)
hitachi vantara_pentaho_data_integration_and_analytics From 10.2.0.8 (exc) to 11.0.0.0 (exc)
hitachi vantara_pentaho_data_integration_and_analytics 8.3
hitachi vantara_pentaho_data_integration_and_analytics 9.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

CVE-2026-2254 involves incorrect permission assignment on API endpoints related to platform mail notifications, allowing unauthorized actors to read or modify email configurations. This unauthorized access could lead to exposure or manipulation of sensitive information handled via email notifications.

Such unauthorized access and potential data manipulation may impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data to ensure confidentiality and integrity.

Mitigating this vulnerability by upgrading to the fixed software versions helps maintain compliance by enforcing proper access controls and preventing unauthorized data access or modification.

Executive Summary

This vulnerability exists in Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including versions 9.3.x and 8.3.x. It occurs because Access Control Lists (ACLs) are not applied on certain API endpoints related to platform mail notifications.

Impact Analysis

Because ACLs are not enforced on specific API endpoints, unauthorized users with some level of privileges might be able to access or manipulate platform mail notification functions. This can lead to information disclosure, integrity issues, or availability problems related to the mail notification system.

Mitigation Strategies

The recommended mitigation is to upgrade to the latest release or service pack of Hitachi Vantara Pentaho Data Integration & Analytics where this vulnerability is addressed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2254. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart