CVE-2026-2255
Hitachi Vantara Pentaho Data Integration Plaintext Hadoop Credentials Exposure
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Hitachi Vantara
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hitachi_vantara | pentaho_data_integration_and_analytics | to 10.2.0.6|end_excluding=11.0.0.0 (exc) |
| hitachi_vantara | pentaho_data_integration_and_analytics | 9.3 |
| hitachi_vantara | pentaho_data_integration_and_analytics | 8.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including versions 9.3.x and 8.3.x. It causes Hadoop cluster credentials to be exposed in plain text through the Cluster Test API. Although users are not supposed to see these credentials explicitly, the vulnerability exists because the user can already use those credentials to submit jobs under the same account via the backend API.
How can this vulnerability impact me? :
The impact of this vulnerability is that sensitive Hadoop cluster credentials are exposed in plain text, which could potentially allow unauthorized users to access or misuse these credentials. However, the risk is somewhat mitigated because users who can access the Cluster Test API can already submit jobs under the same account through the backend API, meaning the exposure does not grant additional privileges beyond what the user already has.