Description
A critical vulnerability in the Talend JobServer and Talend Runtime allows unauthenticated remote code execution via the JMX monitoring port. The attack vector is the JMX monitoring port of the Talend JobServer. The vulnerability can be mitigated for the Talend JobServer by requiring TLS client authentication for the monitoring port; however, the patch must be applied for full mitigation. For Talend ESB Runtime, the vulnerability can be mitigated by disabling the JobServer JMX monitoring port, which is disabled by default from the R2024-07-RT patch.
Published: 2026-04-14
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability enables an attacker who can reach the Talend JobServer or Talend ESB Runtime’s JMX monitoring port to execute arbitrary code without authentication. This permits full compromise of the host, affecting confidentiality, integrity, and availability.

Affected Systems

All releases of Talend JobServer and Talend ESB Runtime prior to the R2024‑07‑RT update are affected. The patch for JobServer adds TLS client authentication to the JMX monitoring port, while the R2024‑07‑RT patch disables the port by default for the ESB Runtime.

Risk and Exploitability

With a CVSS score of 9.8 the flaw is rated critical. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is the JMX monitoring port, which can be accessed from an external network, making exploitation straightforward and highly likely when the oversight is present.

Generated by OpenCVE AI on April 14, 2026 at 04:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released patch (R2024‑07‑RT or equivalent) for Talend JobServer or Talend ESB Runtime as soon as possible.
  • If immediate patching is not possible, enable TLS client authentication on the Talend JobServer JMX monitoring port as a temporary measure.
  • For Talend ESB Runtime, disable the JMX monitoring port or restrict it to trusted networks.

Generated by OpenCVE AI on April 14, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-287

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Talend talend Jobserver
Vendors & Products Talend talend Jobserver

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description A critical vulnerability in the Talend JobServer and Talend Runtime allows unauthenticated remote code execution via the JMX monitoring port. The attack vector is the JMX monitoring port of the Talend JobServer. The vulnerability can be mitigated for the Talend JobServer by requiring TLS client authentication for the monitoring port; however, the patch must be applied for full mitigation. For Talend ESB Runtime, the vulnerability can be mitigated by disabling the JobServer JMX monitoring port, which is disabled by default from the R2024-07-RT patch.
Title Critical Security fix for the Talend JobServer and Talend Runtime
First Time appeared Talend
Talend esb Runtime
Talend jobserver
CPEs cpe:2.3:a:talend:esb_runtime:*:*:*:*:*:*:*:*
cpe:2.3:a:talend:jobserver:*:*:*:*:*:*:*:*
Vendors & Products Talend
Talend esb Runtime
Talend jobserver
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Talend Esb Runtime Jobserver Talend Jobserver
cve-icon MITRE

Status: PUBLISHED

Assigner: Bugcrowd

Published:

Updated: 2026-04-16T00:03:18.302Z

Reserved: 2026-04-14T01:12:19.962Z

Link: CVE-2026-6264

cve-icon Vulnrichment

Updated: 2026-04-14T13:08:52.873Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T03:16:09.050

Modified: 2026-04-17T15:26:13.013

Link: CVE-2026-6264

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:00Z

Weaknesses