CVE-2026-2255
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk6th percentile - higher than 6% of all known CVEs
Summary
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Although the user should not see those explicitly, the defect is mitigated by the fact the user can already leverage those credentials to submit jobs under the same account through the backend API.
Risk Assessment
The exposure of Hadoop cluster credentials in plain text poses a risk of unauthorized access to cluster resources, potentially leading to serious data security breaches.
Recommendation
It is recommended to upgrade to the latest version of Pentaho Data Integration & Analytics to eliminate this vulnerability and implement additional security measures to protect credentials.
Original NVD description (English source)
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Although the user should not see those explicitly, the defect is mitigated by the fact the user can already leverage those credentials to submit jobs under the same account through the backend API.

