CVE-2026-2254
MediumCVSS 6.3Exploitation Probability (EPSS)
Low risk5th percentile - higher than 5% of all known CVEs
Summary
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, do not apply ACLs on certain API endpoints related to platform mail notifications.
Risk Assessment
The lack of proper security on these endpoints may lead to unauthorized access to sensitive information related to email notifications, posing a risk to the organization's data security.
Recommendation
It is recommended to upgrade to the latest version of the software to apply appropriate access control lists on all API endpoints.
Original NVD description (English source)
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notfications.

