CVE-2026-2254

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

27/05/2026

Last modified:

27/05/2026

Description

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notfications.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS v3.1 Severity and Metrics:

Base Score: 6.30 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): Low
Integrity (I): Low
Availability (A): Low

Base Score 3.x

6.30

Severity 3.x

MEDIUM

References to Advisories, Solutions, and Tools

https://support.pentaho.com/hc/en-us/articles/45676384909069--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Incorrect-Permission-Assignment-for-Critical-Resource-Versions-before-10-2-0-6-and-11-0-0-0-Impacted-CVE-2026-2254?brand_id=1928686