Critical Security fix for the Talend JobServer and Talend Runtime

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

A critical vulnerability in the Talend JobServer and Talend Runtime allows unauthenticated remote code execution via the JMX monitoring port. The attack vector is the JMX monitoring port of the Talend JobServer. The vulnerability can be mitigated for the Talend JobServer by requiring TLS client authentication for the monitoring port; however, the patch must be applied for full mitigation. For Talend ESB Runtime, the vulnerability can be mitigated by disabling the JobServer JMX monitoring port, which is disabled by default from the R2024-07-RT patch.

AI Analysis

Unauthenticated remote code execution via the JMX monitoring port

Basic Information

ID CVE-2026-6264

Source Bugcrowd

Published Apr 14, 2026 at 01:49

Modified Apr 14, 2026 at 02:03

Affected Product

Vendor Talend

Product Talend JobServer

Version 8.0

Affected Versions Talend Talend JobServer 8.0
Talend Talend JobServer 7.3
Talend Talend Runtime 8.0
Talend Talend Runtime 7.3

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor Talend

Product Talend JobServer, Talend Runtime

Version 7.3, 8.0

References

community.qlik.com /t5/Official-Support-Articles/Critical-Security-fix-for-the-Qlik-Talend-JobServer-and-Talend/tac-p/2541974

{
    "lastseen": "",
    "description": "A critical vulnerability in the Talend JobServer and Talend Runtime allows unauthenticated remote code execution via the JMX monitoring port. The attack vector is the JMX monitoring port of the Talend JobServer. The vulnerability can be mitigated for the Talend JobServer by requiring TLS client authentication for the monitoring port; however, the patch must be applied for full mitigation. For Talend ESB Runtime, the vulnerability can be mitigated by disabling the JobServer JMX monitoring port, which is disabled by default from the R2024-07-RT patch.",
    "published": "2026-04-14T01:49:08.920Z",
    "modified": "2026-04-14T02:03:18.536Z",
    "type": "cve",
    "title": "Critical Security fix for the Talend JobServer and Talend Runtime",
    "source": "Bugcrowd",
    "references": "https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fix-for-the-Qlik-Talend-JobServer-and-Talend/tac-p/2541974",
    "id": "CVE-2026-6264",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Talend Talend JobServer 8.0\nTalend Talend JobServer 7.3\nTalend Talend Runtime 8.0\nTalend Talend Runtime 7.3",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Talend JobServer",
    "version": "8.0",
    "vendor": "Talend",
    "ai_description": "Unauthenticated remote code execution via the JMX monitoring port",
    "ai_severity": "Critical",
    "ai_vendor": "Talend",
    "ai_product": "Talend JobServer, Talend Runtime",
    "ai_version": "7.3, 8.0",
    "ai_score": 9.8
}

Critical Security fix for the Talend JobServer and Talend Runtime_CVE-2026-6264