CVE-2026-2255
Analyzed
Analyzed - Analysis Complete
Hitachi Vantara Pentaho Data Integration Plaintext Hadoop Credentials Exposure
Vulnerability report for CVE-2026-2255, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-05-27
Last updated on: 2026-06-18
Assigner: Hitachi Vantara
Description
Description
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Although the user should not see those explicitly, the defect is mitigated by the fact the user can already leverage those credentials to submit jobs under the same account through the backend API.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hitachi | vantara_pentaho_data_integration_and_analytics | to 10.2.0.7 (exc) |
| hitachi | vantara_pentaho_data_integration_and_analytics | From 10.2.0.8 (exc) to 11.0.0.0 (exc) |
| hitachi | vantara_pentaho_data_integration_and_analytics | 8.3 |
| hitachi | vantara_pentaho_data_integration_and_analytics | 9.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |