CVE-2026-2255 Hitachi Vantara CVE debrief

Who should care

Organizations running Hitachi Vantara Pentaho Data Integration & Analytics versions prior to 10.2.0.6 or 11.0.0.0, particularly those with Hadoop cluster integrations. Security teams should prioritize patching environments where multiple users have authenticated access to the Pentaho platform and Hadoop job submission capabilities.

Technical summary

The Cluster Test API in affected Pentaho versions returns Hadoop cluster credentials in plain text. This is an instance of CWE-522 (Insufficiently Protected Credentials). The attack vector is network-based, requires low attack complexity, and requires authenticated access (PR:L). The confidentiality impact is low as the exposed credentials are already usable by the authenticated user through legitimate backend API functions. No integrity or availability impact is assigned.

Defensive priority

medium

Recommended defensive actions

• Upgrade to Hitachi Vantara Pentaho Data Integration & Analytics version 10.2.0.6 or 11.0.0.0 or later
• Review access controls to the Cluster Test API to ensure least-privilege access
• Audit Hadoop cluster credential usage and rotate credentials if unauthorized access is suspected
• Monitor for anomalous job submissions in affected Hadoop environments
• Review vendor security advisory for additional configuration guidance

Evidence notes

The vulnerability description and affected versions are sourced from the official CVE record and NVD entry. The vendor advisory confirms the issue affects Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) supports the MEDIUM severity rating.

Official resources