Description
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Although the user should not see those explicitly, the defect is mitigated by the fact the user can already leverage those credentials to submit jobs under the same account through the backend API.
Published: 2026-05-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0 expose Hadoop cluster credentials in plain text through the Cluster Test API. The credentials are not directly displayed to the user, but the flaw allows an attacker to capture them and then use those same credentials to submit jobs under the same account via the backend API. This constitutes a credential disclosure vulnerability that can enable unauthorized job submission, potential data access, and misuse of computational resources.

Affected Systems

The affected products are Hitachi Vantara Pentaho Data Integration and Analytics for versions 9.3.x, 8.3.x, and any release before 10.2.0.6 and 11.0.0.0. Users running these versions on Hadoop clusters should review the release notes and patch status.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and the lack of an EPSS score means no publicly available data on exploitation rate; the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be the Cluster Test API endpoint, which is likely accessible to authenticated users in the system. The flaw does not require privileged access beyond normal application users, so the risk is moderate to high if the credentials are compromised.

Generated by OpenCVE AI on May 27, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pentaho Data Integration & Analytics to version 10.2.0.6 or later, or 11.0.0.0 or later, which fixes the credential exposure issue.
  • Disable or restrict access to the Cluster Test API to prevent credential leakage.
  • Ensure Hadoop cluster credentials are stored encrypted in configuration and not exposed via APIs; apply configuration changes to enforce encryption.

Generated by OpenCVE AI on May 27, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Hitachi
Hitachi vantara Pentaho Data Integration And Analytics
Vendors & Products Hitachi
Hitachi vantara Pentaho Data Integration And Analytics

Wed, 27 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Although the user should not see those explicitly, the defect is mitigated by the fact the user can already leverage those credentials to submit jobs under the same account through the backend API.
Title Hitachi Vantara Pentaho Data Integration & Analytics - Insufficiently Protected Credentials
Weaknesses CWE-522
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Hitachi Vantara Pentaho Data Integration And Analytics
cve-icon MITRE

Status: PUBLISHED

Assigner: HITVAN

Published:

Updated: 2026-05-27T18:00:39.061Z

Reserved: 2026-02-09T15:09:09.473Z

Link: CVE-2026-2255

cve-icon Vulnrichment

Updated: 2026-05-27T18:00:35.379Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T04:16:26.833

Modified: 2026-05-27T19:55:50.070

Link: CVE-2026-2255

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T04:30:16Z

Weaknesses