Critical Security fix for the Qlik Talend JobServer and Talend Runtime (CVE-2026-6264)

Executive Summary

A critical security issue in the Talend JobServer and Talend Runtime has been identified. This issue was resolved in later patches, which are already available. If the vulnerability is successfully exploited, an attacker could gain full remote code execution on the Talend JobServer and Talend Runtime servers.

This issue was discovered by Harpreet Singh (@TheCyb3rAlphaProfession), Security Researcher.

Affected Software

• All versions of Talend JobServer before TPS-6017 (8.0) or TPS-6018 (7.3).
• All versions of Talend Runtime before 8.0.1.R2026-01-RT or 7.3.1-R2026-01

Severity Rating

Using the CVSS V3.1 scoring system (https://nvd.nist.gov/vuln-metrics/cvss), this issue is rated CRITICAL.

Vulnerability Details

CVE-2026-6264

Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)

A critical vulnerability has been found in the Talend JobServer and Talend Runtime that allows unauthenticated remote code execution

The attack vector for this vulnerability is the JMX monitoring port of the Talend JobServer. The vulnerability can be mitigated for the Talend Jobserver by requiring TLS client authentication for the monitoring port. However, the patch will need to be applied to fully mitigate the vulnerability.
For Talend Runtime, the vulnerability can be mitigated by disabling the JobServer JMX monitoring port, which is disabled by default from the 8.0 R2024-07-RT patch.

Resolution

Recommendation

Upgrade at the earliest. The following table lists the patch versions addressing the vulnerability (CVE-2026-6264).

Always update to the latest version. Before you upgrade, check if a more recent release is available.