CVE-2026-2255
Awaiting Analysis Awaiting Analysis - Queue
Hitachi Vantara Pentaho Data Integration Plaintext Hadoop Credentials Exposure

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: Hitachi Vantara

Description
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Although the user should not see those explicitly, the defect is mitigated by the fact the user can already leverage those credentials to submit jobs under the same account through the backend API.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2255
EUVD
EUVD-2026-32046
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
hitachi_vantara pentaho_data_integration_and_analytics to 10.2.0.6|end_excluding=11.0.0.0 (exc)
hitachi_vantara pentaho_data_integration_and_analytics 9.3
hitachi_vantara pentaho_data_integration_and_analytics 8.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including versions 9.3.x and 8.3.x. It causes Hadoop cluster credentials to be exposed in plain text through the Cluster Test API. Although users are not supposed to see these credentials explicitly, the vulnerability exists because the user can already use those credentials to submit jobs under the same account via the backend API.

Impact Analysis

The impact of this vulnerability is that sensitive Hadoop cluster credentials are exposed in plain text, which could potentially allow unauthorized users to access or misuse these credentials. However, the risk is somewhat mitigated because users who can access the Cluster Test API can already submit jobs under the same account through the backend API, meaning the exposure does not grant additional privileges beyond what the user already has.

Compliance Impact

The vulnerability exposes Hadoop cluster credentials in plain text through the Cluster Test API. This exposure of sensitive credentials could potentially lead to unauthorized access or misuse of data, which may impact compliance with data protection standards and regulations such as GDPR and HIPAA that require safeguarding sensitive information.

However, the vulnerability is somewhat mitigated because the user can already leverage those credentials to submit jobs under the same account through the backend API, implying that the exposure does not grant additional privileges beyond what the user already has.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2255. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart