Hitachi Vantara Pentaho Data Integration and Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, do not enforce ACLs on specific API endpoints related to platform mail notifications. This incorrect permission assignment (CWE-732) can lead to unauthorized access or modification of critical resources via these endpoints. The CVSS 3.1 base score is 6.3, indicating a medium severity vulnerability with network attack vector, low attack complexity, requiring low privileges but no user interaction, and impacts on confidentiality, integrity, and availability. No patch or official remediation level has been published by the vendor as of the current data.

The vulnerability allows users with limited privileges to potentially access or manipulate platform mail notification API endpoints without proper authorization. This can lead to partial compromise of confidentiality, integrity, and availability of the affected system components. However, the impact is limited by the requirement for some level of privileges and the absence of known active exploitation.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, organizations should review and restrict access to the affected API endpoints where possible, and monitor for unusual activity related to platform mail notifications. No vendor-provided official fix or temporary workaround is currently documented.