Description
Hitachi Vantara Pentaho Data Integration & Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a data source administrator.
Published: 2026-05-13
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Pentaho Data Integration and Analytics platform includes an H2 database JDBC driver that is susceptible to external script execution when a data source administrator establishes a new connection. This flaw allows an attacker who can become an administrator or gain their credentials to run arbitrary code on the host system, potentially taking full control. The weakness is a command injection vulnerability, identified as CWE-1395.

Affected Systems

All versions of Hitachi Vantara Pentaho Data Integration and Analytics contain the vulnerable H2 JDBC driver, meaning any deployment—regardless of version—remains susceptible until the driver is removed or patched.

Risk and Exploitability

The CVSS score of 9.1 signals a severe vulnerability. The EPSS score is 0.00085, indicating a very low exploitation probability. The absence from the CISA KEV catalog suggests no widespread, active exploitation has been observed. The likely attack vector is local; an attacker who can assume or steal a data source administrator role can trigger the flaw during new connection creation. While remote exploitation would require the attacker to first authenticate as an administrator, once privileged, the ability to execute system commands is granted. No exploit code was reported but the high severity warrants immediate action.

Generated by OpenCVE AI on June 2, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest Hitachi Vantara release that removes or fixes the vulnerable H2 JDBC driver, as described in the support article.
  • If an update is not yet available, remove or disable the H2 JDBC driver from Pentaho’s classpath until a patch is released.
  • Restrict data source administrator privileges to trusted users, enforce strong authentication, and monitor for unauthorized attempts to create new database connections.

Generated by OpenCVE AI on June 2, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:a:hitachi:vantara_pentaho_data_integration_and_analytics:*:*:*:*:*:*:*:*

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 07:30:00 +0000

Type Values Removed Values Added
First Time appeared Hitachi
Hitachi vantara Pentaho Data Integration And Analytics
Vendors & Products Hitachi
Hitachi vantara Pentaho Data Integration And Analytics

Wed, 13 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description Hitachi Vantara Pentaho Data Integration & Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a data source administrator.
Title Hitachi Vantara Pentaho Data Integration & Analytics - Dependency on Vulnerable Third-Party Component
Weaknesses CWE-1395
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Hitachi Vantara Pentaho Data Integration And Analytics
cve-icon MITRE

Status: PUBLISHED

Assigner: HITVAN

Published:

Updated: 2026-05-13T14:44:36.235Z

Reserved: 2025-09-29T14:53:44.917Z

Link: CVE-2025-11159

cve-icon Vulnrichment

Updated: 2026-05-13T14:44:33.630Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T06:16:11.517

Modified: 2026-06-02T18:26:55.843

Link: CVE-2025-11159

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:00:13Z

Weaknesses