Hitachi Discloses Six CVEs Across Pentaho, RTU500, Ops Center, and HiDraw Products
Hitachi published six coordinated advisories on May 26–27, 2026, covering XML external entity injection, credential exposure, missing ACLs, a NULL pointer dereference, a heap buffer overflow, and a password masking flaw across four product lines.
Key findings
- Three CVEs affect Pentaho Data Integration & Analytics, including an XXE injection (CVE-2026-2253, CVSS 7.7)
- CVE-2026-2255 exposes Hadoop cluster credentials in plain text via the Cluster Test API
- CVE-2026-8479 targets RTU500 industrial controllers in bidirectional IEC 60870-5-104 mode
- CVE-2026-7310 is a heap buffer overflow in HiDraw's XML parser, requiring local authenticated access
- CVE-2026-3314 leaves password fields unmasked in Hitachi Ops Center Analyzer and Infrastructure Analytics Advisor
- Pentaho fixes shipped in versions 10.2.0.6, 10.2.0.7, and 11.0.0.0
Hitachi released six coordinated security advisories between May 26 and May 27, 2026, addressing vulnerabilities across four distinct product families: Pentaho Data Integration & Analytics, RTU500, HiDraw, and Ops Center Analyzer. The batch spans medium-to-high severity flaws, with the most critical — an XML External Entity (XXE) injection in Pentaho — carrying a CVSSv3 score of 7.7.
Pentaho Data Integration & Analytics accounts for three of the six CVEs. CVE-2026-2253 (High, 7.7) is an XML External Entity (XXE) injection affecting Pentaho versions before 10.2.0.7 and 11.0.0.0, including the 9.3.x and 8.3.x release lines. The product does not prevent certain XML parsers from resolving external entities, which can allow an attacker to read arbitrary files or trigger server-side request forgery. Hitachi addressed the issue in Pentaho 10.2.0.7.
CVE-2026-2254 (Medium, 6.3) involves missing access control list (ACL) enforcement on API endpoints related to platform mail notifications in the same Pentaho versions. This could allow an authenticated user to access or manipulate email notification settings without proper authorization. CVE-2026-2255 (Medium, 4.3) exposes Hadoop cluster credentials in plain text through the Cluster Test API. While Hitachi notes that the user should not see those credentials explicitly, the defect is partially mitigated by the fact that the user can already leverage those credentials through other means. Both CVE-2026-2254 and CVE-2026-2255 are fixed in Pentaho version 10.2.0.6 and 11.0.0.0.
Two CVEs target industrial and embedded Hitachi products. CVE-2026-8479 (Medium) affects the RTU500 series when IEC 60870-5-104 bidirectional mode (BCI) is configured. A specially crafted sequence of messages sent over time can trigger a NULL pointer dereference, causing a denial-of-service condition. The vulnerability only applies to deployments that have the bidirectional communication feature enabled.
CVE-2026-7310 (Medium) is a heap-based buffer overflow in the XML parser of HiDraw, Hitachi's diagramming and engineering tool. An authenticated attacker with local access can exploit this by supplying a specially crafted XML file, potentially leading to memory corruption and arbitrary code execution. The full description was truncated in the advisory, but the vector — local, authenticated, file-based — suggests a lower exploitation surface in practice.
The remaining CVE targets Hitachi's data center operations suite. CVE-2026-3314 (Medium, 4.6) is a missing password field masking vulnerability affecting Hitachi Ops Center Analyzer (detail view and probe modules), Hitachi Ops Center Analyzer viewpoint, and Hitachi Infrastructure Analytics Advisor (Data Center Analytics and Analytics probe modules). The flaw means password fields are displayed in plain text on screen, exposing credentials to anyone with physical or remote screen access to an authenticated session.
Patch status and mitigations. Hitachi has released fixes for all three Pentaho CVEs: versions 10.2.0.6 (for CVE-2026-2254 and CVE-2026-2255) and 10.2.0.7 (for CVE-2026-2253), as well as version 11.0.0.0. For CVE-2026-8479 (RTU500), the advisory notes the product is only affected if IEC 60870-5-104 bidirectional mode is configured, suggesting a configuration-level mitigation. For CVE-2026-7310 (HiDraw), the local authenticated requirement limits exposure, but users should apply any available firmware or software updates. For CVE-2026-3314 (Ops Center Analyzer), Hitachi's advisory did not specify a fixed version in the available description.
Why this batch matters. The disclosure is notable for its breadth — spanning enterprise data analytics, industrial control systems, engineering tools, and data center management software — rather than a deep concentration of bugs in a single product. Pentaho users in particular should prioritize the XXE fix (CVE-2026-2253), which carries the highest severity in the batch and affects a widely deployed data integration platform. Organizations running RTU500 in bidirectional mode should verify their exposure to CVE-2026-8479 and apply mitigations promptly.