article Critical Security fix for the Qlik Talend JobServer and Talend Runtime (CVE-2026-6264) in Official Support Articles https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fix-for-the-Qlik-Talend-JobServer-and-Talend/ta-p/2541970 <H3><STRONG><FONT color="#339966">Executive Summary</FONT></STRONG></H3> <P>A critical security issue in the <FONT color="#339966"><STRONG>Talend JobServer</STRONG></FONT> and <STRONG><FONT color="#339966">Talend Runtime</FONT></STRONG> has been identified. This issue was resolved in later patches, which are already available. If the vulnerability is successfully exploited, an attacker could gain full remote code execution on the Talend JobServer and Talend Runtime servers.</P> <P>This issue was discovered by Harpreet Singh (@TheCyb3rAlphaProfession), Security Researcher.</P> <H3><FONT color="#339966"><STRONG>Affected Software</STRONG></FONT></H3> <UL class="lia-list-style-type-circle"> <LI>All versions of Talend JobServer before TPS-6017 (8.0) or TPS-6018 (7.3).</LI> <LI>All versions of Talend Runtime before 8.0.1.R2026-01-RT or 7.3.1-R2026-01</LI> </UL> <H3><FONT color="#339966"><STRONG>Severity Rating</STRONG></FONT></H3> <P>Using the CVSS V3.1 scoring system (<A href="https://nvd.nist.gov/vuln-metrics/cvss" target="_blank" rel="noopener">https://nvd.nist.gov/vuln-metrics/cvss</A>), this issue is rated CRITICAL.</P> <H3><FONT color="#339966"><STRONG>Vulnerability Details</STRONG></FONT></H3> <P data-unlink="true">CVE-<SPAN data-teams="true">2026-6264</SPAN></P> <P><FONT color="#339966"><STRONG>Severity:</STRONG></FONT> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (<STRONG>9.8 Critical</STRONG>)</P> <P class="lia-indent-padding-left-30px">A critical vulnerability has been found in the Talend JobServer and Talend Runtime that allows unauthenticated remote code execution</P> <P>The attack vector for this vulnerability is the JMX monitoring port of the Talend JobServer. The vulnerability can be mitigated for the Talend Jobserver by requiring TLS client authentication for the monitoring port. However, the patch will need to be applied to fully mitigate the vulnerability. <BR />For Talend Runtime, the vulnerability can be mitigated by disabling the JobServer JMX monitoring port, which is disabled by default from the 8.0 R2024-07-RT patch.</P> <P>&nbsp;</P> <H3><FONT color="#339966"><STRONG>Resolution</STRONG></FONT></H3> <H4><FONT color="#339966"><STRONG>Recommendation</STRONG></FONT></H4> <P data-unlink="true">Upgrade at the earliest. The following table lists the patch versions addressing the vulnerability (CVE-<SPAN data-teams="true">2026-6264</SPAN>).</P> <BLOCKQUOTE class="quote">Always update to the latest version. Before you upgrade, check if a more recent release is available.</BLOCKQUOTE> <TABLE style="width: 100%;" border="1" width="100%"> <TBODY> <TR> <TD width="29.9921%" height="46px" class="lia-align-left" style="background-color: lightgray; width: 29.9921%;">&nbsp;<STRONG>Product</STRONG></TD> <TD width="19.9815%" height="46px" class="lia-align-left" style="background-color: lightgray; width: 19.9815%;"><STRONG>Patch</STRONG></TD> <TD width="19.9815%" height="46px" class="lia-align-left" style="background-color: lightgray; width: 19.9815%;"><STRONG>Release Date</STRONG></TD> </TR> <TR> <TD width="29.9921%" height="46px" class="lia-align-left" style="background-color: ghostwhite; width: 29.9921%;">Talend JobServer 8.0</TD> <TD width="19.9815%" height="46px" class="lia-align-left" style="background-color: ghostwhite; width: 19.9815%;"><A href="https://help.qlik.com/talend/en-US/patch-notes/8.0/tps-6017" target="_blank" rel="noopener">TPS-6017</A></TD> <TD width="19.9815%" height="46px" class="lia-align-left" style="background-color: ghostwhite; width: 19.9815%;">January 16, 2026</TD> </TR> <TR> <TD width="29.9921%" height="46px" class="lia-align-left" style="width: 29.9921%;">Talend Jobserver 7.3</TD> <TD width="19.9815%" height="46px" class="lia-align-left" style="width: 19.9815%;">TPS-6018</TD> <TD width="19.9815%" height="46px" class="lia-align-left" style="width: 19.9815%;">January 16, 2026</TD> </TR> <TR> <TD width="29.9921%" height="46px" class="lia-align-left" style="background-color: ghostwhite; width: 29.9921%;">Talend Runtime 8.0</TD> <TD width="19.9815%" height="46px" class="lia-align-left" style="background-color: ghostwhite; width: 19.9815%;"><A href="https://help.qlik.com/talend/en-US/patch-notes/8.0/r2026-01-rt" target="_blank" rel="noopener">8.0.1.R2026-01-RT</A></TD> <TD width="19.9815%" height="46px" class="lia-align-left" style="background-color: ghostwhite; width: 19.9815%;">January 24, 2026</TD> </TR> <TR> <TD height="24px" style="width: 29.9921%;">Talend Runtime 7.3</TD> <TD height="24px" style="width: 19.9815%;">7.3.1-R2026-01</TD> <TD height="24px" style="width: 19.9815%;">January 24, 2026</TD> </TR> </TBODY> </TABLE> Wed, 15 Apr 2026 08:52:30 GMT Sonja_Bauernfeind 2026-04-15T08:52:30Z Critical Security fix for the Qlik Talend JobServer and Talend Runtime (CVE-2026-6264) https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fix-for-the-Qlik-Talend-JobServer-and-Talend/ta-p/2541970 <H3><STRONG><FONT color="#339966">Executive Summary</FONT></STRONG></H3> <P>A critical security issue in the <FONT color="#339966"><STRONG>Talend JobServer</STRONG></FONT> and <STRONG><FONT color="#339966">Talend Runtime</FONT></STRONG> has been identified. This issue was resolved in later patches, which are already available. If the vulnerability is successfully exploited, an attacker could gain full remote code execution on the Talend JobServer and Talend Runtime servers.</P> <P>This issue was discovered by Harpreet Singh (@TheCyb3rAlphaProfession), Security Researcher.</P> <H3><FONT color="#339966"><STRONG>Affected Software</STRONG></FONT></H3> <UL class="lia-list-style-type-circle"> <LI>All versions of Talend JobServer before TPS-6017 (8.0) or TPS-6018 (7.3).</LI> <LI>All versions of Talend Runtime before 8.0.1.R2026-01-RT or 7.3.1-R2026-01</LI> </UL> <H3><FONT color="#339966"><STRONG>Severity Rating</STRONG></FONT></H3> <P>Using the CVSS V3.1 scoring system (<A href="https://nvd.nist.gov/vuln-metrics/cvss" target="_blank" rel="noopener">https://nvd.nist.gov/vuln-metrics/cvss</A>), this issue is rated CRITICAL.</P> <H3><FONT color="#339966"><STRONG>Vulnerability Details</STRONG></FONT></H3> <P data-unlink="true">CVE-<SPAN data-teams="true">2026-6264</SPAN></P> <P><FONT color="#339966"><STRONG>Severity:</STRONG></FONT> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (<STRONG>9.8 Critical</STRONG>)</P> <P class="lia-indent-padding-left-30px">A critical vulnerability has been found in the Talend JobServer and Talend Runtime that allows unauthenticated remote code execution</P> <P>The attack vector for this vulnerability is the JMX monitoring port of the Talend JobServer. The vulnerability can be mitigated for the Talend Jobserver by requiring TLS client authentication for the monitoring port. However, the patch will need to be applied to fully mitigate the vulnerability. <BR />For Talend Runtime, the vulnerability can be mitigated by disabling the JobServer JMX monitoring port, which is disabled by default from the 8.0 R2024-07-RT patch.</P> <P>&nbsp;</P> <H3><FONT color="#339966"><STRONG>Resolution</STRONG></FONT></H3> <H4><FONT color="#339966"><STRONG>Recommendation</STRONG></FONT></H4> <P data-unlink="true">Upgrade at the earliest. The following table lists the patch versions addressing the vulnerability (CVE-<SPAN data-teams="true">2026-6264</SPAN>).</P> <BLOCKQUOTE class="quote">Always update to the latest version. Before you upgrade, check if a more recent release is available.</BLOCKQUOTE> <TABLE style="width: 100%;" border="1" width="100%"> <TBODY> <TR> <TD width="29.9921%" height="46px" class="lia-align-left" style="background-color: lightgray; width: 29.9921%;">&nbsp;<STRONG>Product</STRONG></TD> <TD width="19.9815%" height="46px" class="lia-align-left" style="background-color: lightgray; width: 19.9815%;"><STRONG>Patch</STRONG></TD> <TD width="19.9815%" height="46px" class="lia-align-left" style="background-color: lightgray; width: 19.9815%;"><STRONG>Release Date</STRONG></TD> </TR> <TR> <TD width="29.9921%" height="46px" class="lia-align-left" style="background-color: ghostwhite; width: 29.9921%;">Talend JobServer 8.0</TD> <TD width="19.9815%" height="46px" class="lia-align-left" style="background-color: ghostwhite; width: 19.9815%;"><A href="https://help.qlik.com/talend/en-US/patch-notes/8.0/tps-6017" target="_blank" rel="noopener">TPS-6017</A></TD> <TD width="19.9815%" height="46px" class="lia-align-left" style="background-color: ghostwhite; width: 19.9815%;">January 16, 2026</TD> </TR> <TR> <TD width="29.9921%" height="46px" class="lia-align-left" style="width: 29.9921%;">Talend Jobserver 7.3</TD> <TD width="19.9815%" height="46px" class="lia-align-left" style="width: 19.9815%;">TPS-6018</TD> <TD width="19.9815%" height="46px" class="lia-align-left" style="width: 19.9815%;">January 16, 2026</TD> </TR> <TR> <TD width="29.9921%" height="46px" class="lia-align-left" style="background-color: ghostwhite; width: 29.9921%;">Talend Runtime 8.0</TD> <TD width="19.9815%" height="46px" class="lia-align-left" style="background-color: ghostwhite; width: 19.9815%;"><A href="https://help.qlik.com/talend/en-US/patch-notes/8.0/r2026-01-rt" target="_blank" rel="noopener">8.0.1.R2026-01-RT</A></TD> <TD width="19.9815%" height="46px" class="lia-align-left" style="background-color: ghostwhite; width: 19.9815%;">January 24, 2026</TD> </TR> <TR> <TD height="24px" style="width: 29.9921%;">Talend Runtime 7.3</TD> <TD height="24px" style="width: 19.9815%;">7.3.1-R2026-01</TD> <TD height="24px" style="width: 19.9815%;">January 24, 2026</TD> </TR> </TBODY> </TABLE> Wed, 15 Apr 2026 08:52:30 GMT https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fix-for-the-Qlik-Talend-JobServer-and-Talend/ta-p/2541970 Sonja_Bauernfeind 2026-04-15T08:52:30Z Re: Critical Security fix for the Qlik Talend JobServer and Talend Runtime (CVE-2026-pending) https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fix-for-the-Qlik-Talend-JobServer-and-Talend/tac-p/2541974#M16810 <P><SPAN>For discussions and questions, comment directly on the&nbsp;</SPAN><A href="https://community.qlik.com/t5/Support-Updates/Qlik-Talend-Job-Server-and-Talend-Runtime-New-Security-Patches/ba-p/2541972" target="_blank" rel="noopener" aria-describedby="audioeye_new_window_message">related blog post</A><SPAN>.&nbsp; We will be monitoring it. Thank you!</SPAN></P> Thu, 29 Jan 2026 15:19:13 GMT https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fix-for-the-Qlik-Talend-JobServer-and-Talend/tac-p/2541974#M16810 Sonja_Bauernfeind 2026-01-29T15:19:13Z