CVE-2026-2255 | THREATINT

Description

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Although the user should not see those explicitly, the defect is mitigated by the fact the user can already leverage those credentials to submit jobs under the same account through the backend API.

PUBLISHED Reserved 2026-02-09 | Published 2026-05-27 | Updated 2026-05-27 | Assigner HITVAN

MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-522: Insufficiently Protected Credentials

Product status

Default status

unaffected

1.0 (maven) before 10.2.0.6

affected

10.0 (maven) before 11.0.0

affected

Credits

Hitachi Group Member finder

References

support.pentaho.com/...6-and-11-0-0-0-Impacted-CVE-2026-2255

cve.org (CVE-2026-2255)

nvd.nist.gov (CVE-2026-2255)

Download JSON