CVE-2026-6264

CRITICAL 9.8

Critical Security fix for the Talend JobServer and Talend Runtime

CVSS Score

9.8

EPSS Score

0.2%

EPSS Percentile

47th

A critical vulnerability in the Talend JobServer and Talend Runtime allows unauthenticated remote code execution via the JMX monitoring port. The attack vector is the JMX monitoring port of the Talend JobServer. The vulnerability can be mitigated for the Talend JobServer by requiring TLS client authentication for the monitoring port; however, the patch must be applied for full mitigation. For Talend ESB Runtime, the vulnerability can be mitigated by disabling the JobServer JMX monitoring port, which is disabled by default from the R2024-07-RT patch.

Vendor	talend
Product	talend jobserver
Published	Apr 14, 2026
Last Updated	Apr 16, 2026

Stay Ahead of the Next One

Get instant alerts for talend talend jobserver

Be the first to know when new critical vulnerabilities affecting talend talend jobserver are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Talend / Talend JobServer

8.0 < TPS-6017 7.3 < TPS-6018

Talend / Talend Runtime

8.0 < 8.0.1.R2026-01-RT 7.3 < 7.3.1-R2026-01

References

NVD ↗ CVE.org ↗ EPSS Data ↗

community.qlik.com: https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fix-for-the-Qlik-Talend-JobServer-and-Talend/tac-p/2541974

Credits

Harpreet Singh (@TheCyb3rAlpha), Profession: Security Researcher