CVE-2026-9057

Vulnerability

A broken access control vulnerability exists in Qlik Talend Administration Center versions before Patch_20251121_QTAC-1471_R2025-11_v1-8.0.1 [1]. The issue allows a user with only "View" permission to modify the Qlik Talend Studio update URL [1]. This is due to insufficient authorization checks on the URL configuration functionality [1].

Exploitation

An attacker must have a valid account with "View" permission in the Talend Administration Center [1]. No other special network position or authentication is needed beyond this low-privilege access [1]. The attacker can then modify the Talend Studio update URL via the administration interface [1]. The exploitation surface is limited to authenticated users, but the attack complexity is high (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N) [1].

Impact

If successfully exploited, an attacker can point the Talend Studio update mechanism to a malicious URL, which could result in downloading and installing malicious software on Talend Studio instances [1]. This can lead to full compromise of confidentiality and integrity of the affected system, as the attacker-supplied software may execute arbitrary code [1]. The impact is broad due to the scope change (S:C) in the CVSS vector [1].

Mitigation

The vulnerability is fixed in patch QTAC-1471, released on November 21, 2025 [1]. All users should upgrade to Qlik Talend Administration Center version Patch_20251121_QTAC-1471_R2025-11_v1-8.0.1 or later [1]. No workarounds are mentioned in the available reference [1].