Vulnerability Details CVE-2026-2255
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Although the user should not see those explicitly, the defect is mitigated by the fact the user can already leverage those credentials to submit jobs under the same account through the backend API.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 6.0%
CVSS Severity
CVSS v3 Score 4.3
Products affected by CVE-2026-2255
-
cpe:2.3:a:hitachi:vantara_pentaho_data_integration_and_analytics:*
-
cpe:2.3:a:hitachi:vantara_pentaho_data_integration_and_analytics:-
-
cpe:2.3:a:hitachi:vantara_pentaho_data_integration_and_analytics:1.0
-
cpe:2.3:a:hitachi:vantara_pentaho_data_integration_and_analytics:10.1.0.0
-
cpe:2.3:a:hitachi:vantara_pentaho_data_integration_and_analytics:8.3
-
cpe:2.3:a:hitachi:vantara_pentaho_data_integration_and_analytics:9.3
-
cpe:2.3:a:hitachi:vantara_pentaho_data_integration_and_analytics:9.3.0.6
-
cpe:2.3:a:hitachi:vantara_pentaho_data_integration_and_analytics:9.4.0.0