Description
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notfications.
Published: 2026-05-27
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Hitachi Vantara Pentaho Data Integration and Analytics does not enforce ACLs on API endpoints used for platform mail notifications, allowing an authenticated user to potentially invoke critical operations without proper authorization. This weakness aligns with CWE‑732, exposing the system to unauthorized access of sensitive email notifications and related data. The impact is limited to the confidentiality and integrity of notification contents and could enable an attacker to infer system state or manipulate notification workflows.

Affected Systems

Versions of Hitachi Vantara Pentaho Data Integration and Analytics released before 10.2.0.6 and 11.0.0.0, including the 9.3.x and 8.3.x series, are affected. The flaw specifically targets API endpoints that handle platform mail notifications.

Risk and Exploitability

The CVSS base score is 6.3, indicating moderate risk, and there is no EPSS score available, so the exploit probability is uncertain. The vulnerability is not listed in CISA KEV, suggesting no confirmed widespread attacks as of now. The likely attack vector is network‑based access to the affected API endpoints, but detailed exploitation requirements are not disclosed in the provided information.

Generated by OpenCVE AI on May 27, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Pentaho Data Integration & Analytics version 10.2.0.6 or later, or 11.0.0.0 or later, as released by Hitachi Vantara.
  • Verify that ACL enforcement is enabled for all platform mail notification API endpoints after the upgrade.
  • If an upgrade is not immediately possible, restrict network access to the affected endpoints using firewall rules or API gateways until a patch is applied.

Generated by OpenCVE AI on May 27, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Hitachi
Hitachi vantara Pentaho Data Integration And Analytics
Vendors & Products Hitachi
Hitachi vantara Pentaho Data Integration And Analytics

Wed, 27 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notfications.
Title Hitachi Vantara Pentaho Data Integration & Analytics - Incorrect Permission Assignment for Critical Resource
Weaknesses CWE-732
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Hitachi Vantara Pentaho Data Integration And Analytics
cve-icon MITRE

Status: PUBLISHED

Assigner: HITVAN

Published:

Updated: 2026-05-27T18:00:14.572Z

Reserved: 2026-02-09T15:09:08.406Z

Link: CVE-2026-2254

cve-icon Vulnrichment

Updated: 2026-05-27T18:00:00.792Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T04:16:26.693

Modified: 2026-05-27T19:55:50.070

Link: CVE-2026-2254

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T04:30:16Z

Weaknesses