Description
A broken access control issue has been identified in the Talend Administration Center, that allows a user with “View” permission to modify the Talend Studio update URL. This issue was resolved in a patch, which is already available.
Published: 2026-05-20
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Talend Administration Center contains a broken access control flaw that permits users who only hold a ‘View’ role to alter the Talend Studio update URL. This unauthorized modification can redirect the update process to a malicious source, potentially leading to code execution or the introduction of compromised components. The weakness is a classic example of improper access control (CWE‑284) and poses a serious threat to system integrity.

Affected Systems

Any deployment of Talend Administration Center that has not yet received the vendor‑published security patch is vulnerable. The advisory does not disclose specific affected versions, so the exact scope across the product line remains undefined. Until the vendor patch is applied, every installation is at risk.

Risk and Exploitability

The CVSS score of 8.2 rates this issue as high severity. With no EPSS value reported and the vulnerability not currently listed in the CISA KEV catalog, the public risk remains theoretical, yet the flaw enables an authenticated user with minimal privileges to modify critical configuration. The likely attack vector requires a user account with view‑level access, making internal compromise or social engineering a realistic threat path.

Generated by OpenCVE AI on May 20, 2026 at 07:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑published patch for Talend Administration Center that addresses the broken access control for update URL modification.
  • Adjust role‑based access controls so that only users with appropriate administrative permissions can modify the update URL, ensuring the ‘View’ role is explicitly denied configuration changes.
  • Monitor system logs for any unauthorized attempts to change the update URL and investigate promptly.

Generated by OpenCVE AI on May 20, 2026 at 07:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Wed, 20 May 2026 05:00:00 +0000

Type Values Removed Values Added
Description A broken access control issue has been identified in the Talend Administration Center, that allows a user with “View” permission to modify the Talend Studio update URL. This issue was resolved in a patch, which is already available.
Title Security fix for Qlik Talend Administration Center URL access control vulnerability
First Time appeared Talend
Talend administration Center
CPEs cpe:2.3:a:talend:administration_center:*:*:*:*:*:*:*:*
Vendors & Products Talend
Talend administration Center
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Talend Administration Center
cve-icon MITRE

Status: PUBLISHED

Assigner: Bugcrowd

Published:

Updated: 2026-05-20T13:08:08.157Z

Reserved: 2026-05-20T04:38:31.550Z

Link: CVE-2026-9057

cve-icon Vulnrichment

Updated: 2026-05-20T13:08:03.020Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T05:16:23.467

Modified: 2026-05-20T14:04:18.950

Link: CVE-2026-9057

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T07:30:25Z

Weaknesses