PatchSiren cyber security CVE debrief
CVE-2026-2254 Hitachi Vantara CVE debrief
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, contain an incorrect permission assignment vulnerability (CWE-732) affecting API endpoints related to platform mail notifications. The vulnerability allows authenticated users with low privileges to bypass access control lists (ACLs) on certain mail notification APIs, potentially enabling unauthorized access to mail-related functionality. The CVSS 3.1 score of 6.3 (Medium severity) reflects network attack vector, low attack complexity, low privileges required, no user interaction, and impacts to confidentiality, integrity, and availability. The vulnerability was published on May 27, 2026, with vendor acknowledgment via Hitachi Vantara's security advisories. No known exploitation in ransomware campaigns has been reported.
- Vendor
- Hitachi Vantara
- Product
- Pentaho Data Integration and Analytics
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running Hitachi Vantara Pentaho Data Integration & Analytics versions prior to 10.2.0.6 or 11.0.0.0, particularly those with multi-user deployments where non-administrative users have platform access. Security teams responsible for ETL/data integration platform security, identity and access management administrators, and compliance officers monitoring for improper access control violations should prioritize assessment.
Technical summary
The vulnerability stems from missing ACL enforcement on specific platform mail notification API endpoints in Pentaho Data Integration & Analytics. Authenticated users with low privileges can access these endpoints without proper authorization checks, violating the principle of least privilege. The affected endpoints relate to mail notification functionality, which may include configuration retrieval, modification, or triggering operations. The fix in versions 10.2.0.6 and 11.0.0.0 implements proper ACL validation before processing requests to these endpoints.
Defensive priority
medium
Recommended defensive actions
- Upgrade to Hitachi Vantara Pentaho Data Integration & Analytics version 10.2.0.6 or 11.0.0.0 or later per vendor advisory
- Review and restrict network access to Pentaho platform mail notification API endpoints to authorized administrative hosts only
- Audit mail notification configuration and access logs for unauthorized API usage in affected versions
- Validate ACL enforcement on mail notification endpoints after patching through authenticated access testing
- Monitor for anomalous API requests to mail notification endpoints from non-administrative user accounts
Evidence notes
Vendor advisory confirms affected versions and remediation paths. NVD record establishes CVSS vector and CWE classification. No CISA KEV entry present.
Official resources
-
CVE-2026-2254 CVE record
CVE.org
-
CVE-2026-2254 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
public