Hitachi Vantara Pentaho Business Analytics Server - Incorrect Authorization
Description
Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pentaho BA Server's dashboard editor plugin API fails to correctly enforce authorization, allowing access control bypass.
Vulnerability
Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4, and 8.3.0.27 do not correctly perform an authorization check in the dashboard editor plugin API, due to a missing or improper authorization mechanism (CWE-863) [1].
Exploitation
An attacker with network access to the Pentaho BA Server can exploit this by sending crafted requests to the dashboard editor plugin API without proper authentication or authorization, bypassing intended access restrictions [1].
Impact
Successful exploitation allows attackers to access data or perform actions they should not be allowed to, leading to information exposure and potential denial of service [1].
Mitigation
The vendor recommends removing the dashboard editor plugin as an immediate workaround. Upgrade to version 9.3.0.0, 9.2.0.4, 8.3.0.27, or later to fix the issue. Check Pentaho End-of-Life policy for older versions [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <9.3.0.0, >=9.2.0.0 <9.2.0.4, >=8.3.0.0 <8.3.0.27
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.