CVE Catalog

CVE-2026-2255

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

6th percentile - higher than 6% of all known CVEs

Summary

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Although the user should not see those explicitly, the defect is mitigated by the fact the user can already leverage those credentials to submit jobs under the same account through the backend API.

Risk Assessment

The exposure of Hadoop cluster credentials in plain text poses a risk of unauthorized access to cluster resources, potentially leading to serious data security breaches.

Recommendation

It is recommended to upgrade to the latest version of Pentaho Data Integration & Analytics to eliminate this vulnerability and implement additional security measures to protect credentials.

Original NVD description (English source)

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Although the user should not see those explicitly, the defect is mitigated by the fact the user can already leverage those credentials to submit jobs under the same account through the backend API.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS