HTTP Response Header exposes Microsoft-HTTPAPI/2.0 as the server source. An attacker could use this information to expose known vulnerabilities for the server source.

Resolution

This header is included in the HTTP header by .NET framework, which means it can not be directly controlled by Qlik software. 

Environment

Qlik Sense Enterprise on Windows, all version
QlikView, all versions
Qlik NPrinting, all versions

Internal Investigation IDs:

• QLIK-90522

PostgreSQL has identified a vulnerability (CVE-2025-1094) that allows for SQL injection under certain scenarios. For more information, see CVE-2025-1094: PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation.

Resolution

To allow for quick mitigation of PostgreSQL vulnerabilities, Qlik offers the ability to run and manage your own PostgreSQL instance independently of what Qlik Sense Enterprise on Windows is shipped with. This allows for direct control of your PostgreSQL instance and facilitates maintenance without a dependency on Qlik Sense. Further Database upgrades can then be performed independently and in accordance with your corporate security policy when needed, as long as you remain within the supported PostgreSQL versions.

Recommendations

Upgrade to Qlik Sense Enterprise on Windows May 2025 IR

Qlik Sense Enterprise on Windows May 2025 IR includes PostgreSQL 14.17 in its installer. See the System Requirements for details.

Upgrade PostgreSQL

If you have already installed a standalone PostgreSQL database, or if you have used the Qlik PostgreSQL Installer (QPI) to upgrade and decouple your previously bundled database, then you can upgrade PostgreSQL at any time. This means you control maintenance and can immediately react to potential PostgreSQL security concerns by upgrading to a later service release or a later major version.

See Qlik Sense Enterprise on Windows: How To Upgrade Standalone PostgreSQL.

Verify your Qlik Sense Enterprise on Windows version's System Requirements before committing to a PostgreSQL version.

Unbundle and upgrade PostgreSQL using QPI

If you have not yet installed a standalone PostgreSQL instance, this is the preferred method to gain direct control to upgrade at your own pace. For instructions, see Upgrading and unbundling the Qlik Sense Repository Database using the Qlik PostgreSQL Installer.

Manually switch to a dedicated PostgreSQL database

An alternative method to migrate to a standalone PostgreSQL instance is available in How to configure Qlik Sense to use a dedicated PostgreSQL database.

Related Content

• System requirements for Qlik Sense Enterprise
• Qlik Sense Enterprise on Windows: How To Upgrade Standalone PostgreSQL 
• Upgrading and unbundling the Qlik Sense Repository Database using the Qlik PostgreSQL Installer 
• How to configure Qlik Sense to use a dedicated PostgreSQL database 

Internal Investigation ID(s)

SUPPORT-896

Environment

• Qlik Sense Enterprise on Windows

Executive Summary

A critical security issue in the Talend JobServer and Talend Runtime has been identified. This issue was resolved in later patches, which are already available. If the vulnerability is successfully exploited, an attacker could gain full remote code execution on the Talend JobServer and Talend Runtime servers.

This issue was discovered by Harpreet Singh (@TheCyb3rAlphaProfession), Security Researcher.

Affected Software

• All versions of Talend JobServer before TPS-6017 (8.0) or TPS-6018 (7.3).
• All versions of Talend Runtime before 8.0.1.R2026-01-RT or 7.3.1-R2026-01

Severity Rating

Using the CVSS V3.1 scoring system (https://nvd.nist.gov/vuln-metrics/cvss), this issue is rated CRITICAL.

Vulnerability Details

CVE-2026-6264

Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)

A critical vulnerability has been found in the Talend JobServer and Talend Runtime that allows unauthenticated remote code execution

The attack vector for this vulnerability is the JMX monitoring port of the Talend JobServer. The vulnerability can be mitigated for the Talend Jobserver by requiring TLS client authentication for the monitoring port. However, the patch will need to be applied to fully mitigate the vulnerability.
For Talend Runtime, the vulnerability can be mitigated by disabling the JobServer JMX monitoring port, which is disabled by default from the 8.0 R2024-07-RT patch.

Resolution

Recommendation

Upgrade at the earliest. The following table lists the patch versions addressing the vulnerability (CVE-2026-6264).

Always update to the latest version. Before you upgrade, check if a more recent release is available.

Security of Qlik Sense Enterprise on Windows can be approached in the below discrete areas. All these areas provide different options for increasing security in a deployment, and thereby mitigating vulnerabilities and protecting against attackers. 

Content:

• 1. Authentication
• 2. Authorization
• Security Rules
• Section Access
• 3. Operating System Hardening
• Step 1: Disabling protocols and ciphers
• Step 2: Firewalls
• Step 3: Service Account Permission
• Step 4: Anti-Virus
• Step 5 (Optional): FIPS
• 4. PostgreSQL Hardening
• 5. Generalized Web Server best practices
• Apply a trusted certificate
• Optional: Additional HTTP Response Headers

Be aware that a high level of server hardening can lead to failure in your deployment. Be mindful of always having a backup to restore to in case your configuration leads to irreversible failure.

1. Authentication

Qlik Sense Enterprise on Windows supports multiple different Authentication Solutions;

• Windows (NTLM)
• Kerberos 
• Ticketing
• SAML
• JWT
• Header
• Anonymous

Qlik can not specify which authentication method is appropriate for each deployment. It is advisable to review currently supported alternatives within your organization and/or Identity Provider (IdP) to implement the most suitable solution for your use case.

2. Authorization 

Qlik Sense Enterprise on Windows provides two levels of native authorization in the product.

Security Rules

Attribute based access control (ABAC), which is configured through Qlik Sense security rules. This article will not go in depth on how to best implement security rules for your requirements, but it is highly recommended to think of your users based on the capabilities that you intend to provide them. For example different roles and capabilities as shown in image below, allows for a security rule framework to be designed and implemented. This can be done either by yourself by referencing Qlik Sense Help for Administrators and available assets or by engaging with a Qlik Consultant or Qlik Partner.

Section Access

Row level data reduction, which is configured through Section Access at Qlik Sense app level. This article will not go in depth on Section Access implementation, but with this reduction a single file can be used to hold the data for a number of users or user groups. Qlik Sense uses the information in the section access for authentication and authorization, and dynamically reduces the data, so that users only see their own data. 

3. Operating System Hardening

Qlik Sense Enterprise on Windows inherits the available protocols, cipher suites, key exchanges and other security hardening which are enabled on the Windows Server operating Qlik Sense.

Step 1: Disabling protocols and ciphers

Windows Server has a lot of protocols enabled by default; however protocols, ciphers, hashes and key exchanges that are considered deprecated or not secure enough should be disabled. There are many ways of doing this, and the Windows administrator and security experts should be consulted so that local policies are accurately applied. For simplicity, understanding and a good overview IIS Crypto 3.0 can be a good tool for evaluating current Windows configuration and applying changes. 
Keep in mind that "Best Practice" today might not be recommended in the near future, what was considered "safe" a while ago is not necessarily considered so today. For this reason, it is also important to regularly scan servers for potential vulnerabilities and revisit configurations as required. 

The Windows Server needs to be restarted for these settings changes to take effect. It is also important to ensure that all components running on the server still operate as expected after hardening is applied, for example, older non-Qlik software might not be compliant with the latest options and standards. 

Step 2: Firewalls

Firewalls typically should be closed, with required ports only opened for intended purposes.
See Qlik Sense Enterprise on Windows ports overview for details on required port based on the deployed architecture.

Step 3: Service Account Permission

For most organizations, local administrator rights allow for an easier deployment, but Qlik Sense Enterprise on Windows does not require local administrator rights in order to function. This can be an attractive option inside some organizations. This will require additional configuration of boot strap mode as described in Qlik Sense Enterprise on Windows Services.
For a brief overview of the rights needed by a Qlik Sense Enterprise service account:

• Full control over the share used by Qlik Sense Enterprise
• Full control over the installation directory (default: C:\Program Files\Qlik)
• Full control over %ProgramData%\Qlik
• Full control over any folders used as data connections

Qlik Sense Enterprise for Windows does not officially support Group Managed Service Accounts (gMSA), but it can operate using one. The initial barrier is that the installer requires a service account and password to be entered during installation. A domain or local account could be substituted for the install stages only to be swapped out in the Windows Services applet (services.msc) after installation. Some functionality may require workarounds (e.g. A User Directory Connection to Active Directory).

Step 4: Anti-Virus

Qlik Sense Enterprise on Windows does require exceptions from anti-virus scan to avoid potential disk I/O conflicts. Refer to Qlik Sense Folder And Files To Exclude From AntiVirus Scanning for more details. 

Step 5 (Optional): FIPS

Qlik Sense Enterprise on Windows can run with Federal Information Processing Standards (FIPS) enabled on the Windows Server. This does require a few adjustments of configuration files due to Qlik using non-FIPS compliant algorithms for minor tasks like hash checks. See Running Qlik Sense on Windows systems with FIPS compliance enabled for more details on Qlik Sense and FIPS.

4. PostgreSQL Hardening

Qlik Sense Enterprise on Windows uses PostgreSQL to store meta-data relating to a Qlik Sense site. In multi-node sites or sites where PostgreSQL is isolated from Qlik Sense Enterprise for Windows additional security can be applied;

• Database Traffic Encryption
• Hardening what endpoints are allowed to connect to PostgreSQL as described in PostgreSQL: postgresql.conf and pg_hba.conf explained

5. Generalized Web Server best practices

Qlik Sense Proxy service bundled with Qlik Sense Enterprise on Windows is simply a web-service. This means applying general practice guidance but in the context of Qlik Sense as described below.

Apply a trusted certificate

Qlik Sense Enterprise on Windows acts as a Certificate Authority (CA) during initial installation and signs a certificate that is applied on all encrypted traffic between Qlik Sense services. The same Qlik Sense signed certificate is applied as default certificate also for incoming connections from users accessing Qlik Sense Hub and QMC. This default certificate is not intended for production use, unless user access to Qlik Sense comes through a network load balancer or reverse proxy that trusts the Qlik Sense certificate. For direct user access to Qlik Sense Proxy, a fully trusted certificate can typically be acquired from your local IT and then applied on the Qlik Sense Proxy service. 

As of July 2019, Qlik Sense Enterprise on Windows support SHA1 and SHA2 certificates. If SHA384 or SHA512 certificates are needed, then a network load balancer or reverse proxy can be configured in front of Qlik Sense which offloads to Qlik Sense.

Optional: Additional HTTP Response Headers

There are numerous HTTP response headers that can be used in attempting to secure a server. Below are a couple of the most common ones, but as always it is recommended to consult local IT and web security expert on what the recommendations are. 

Any additional HTTP response header values can be configured in Qlik Sense Virtual Proxy settings under Additional response headers as shown in the below image and described in Qlik Sense for Administrators: Virtual Proxies. It is recommended to trial any header changes in a new virtual proxy, as poor configuration may accidentally lock you out from Qlik Sense access. 

• HTTP Strict Transport Security (HSTS) HTTP Strict Transport Security (HSTS) is an opt-in security enhancement which any web application can support through the use of a special response header. When a supported browser receives this header that browser will prevent any communication sent over HTTP in the future and will redirect all traffic over HTTPS instead. Caution is advised when implementing HSTS, as it might block HTTP access to certain pages that actually requires it or needs to be excluded from HSTS. See MDN Web Docs: Strict-Transport-Security for more details on configuration options. 
• Optional: X-Content-Type-Options X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing. 
• X-Frame-Options will prevent the site to be embedded in an iFrame, which can effective mitigate against ClickJacking attacks
• Content-Security-Policy: policy (old: X-XSS-Protection) improves security against some types of XSS (cross-site scripting) attacks.

  Policy is a placeholder for your policy of choice and cannot be used as a value. See Writing a Policy (Mozilla) for examples.

  

Executive Summary 

In December 2025, the Apache Project announced a vulnerability in Apache Tika (CVE-2025-66516) and provided patches to resolve the issue. Qlik has been reviewing our usage of the Apache Tika product suite and has identified a limited impact as follows.

Affected Software 

Apache Tika is used in several Qlik products. However, the vulnerability is only relevant to the case of a Talend Studio route that uses Apache Tika to parse PDFs.

No other use case or product is impacted by the vulnerability. Qlik Cloud and Talend Cloud are not impacted by this vulnerability.

Nevertheless, we are patching all our products that contain Apache Tika out of an abundance of caution. Be on the lookout for a series of product patches for supported and affected versions.

Resolution 

Recommendation 

The releases listed in the table below contain the updated version of Apache Tika, which addresses CVE-2025-66516.

Always update to the latest version. Before you upgrade, check if a more recent release is available.

Talend Studio opens very quickly, but when attempting to open a Job, the process becomes very slow, and the following error messages are displayed in the .log file:

: !STACK 0 java.lang.IllegalStateException: java.util.concurrent.TimeoutException: Timeout when waiting for component server initialization: -Dtalend.studio.sdk.startup.timeout=2 

Resolution

Prevent the infosec software from redirecting the port to bind.

Cause

The operation manager enabled feature from the cybersecurity software that allows to redirect the request.

Environment

• Talend Studio 

Stitch Support frequently receives questions regarding the invocation of the PUBLIC role with Snowflake. When setting up a database user following Create a Stitch database and database user (Qlik Stitch Documentation), users will notice that the Stitch user executes GRANT statements on the PUBLIC role. This behavior can raise questions about role-based access and security implications within Snowflake.

Resolution

Manually adjust permissions in Snowflake as needed. If you prefer Stitch offers a more streamlined approach in its behavior, please submit a feature request. Refer to New Process for Submitting a Feature Request for All Talend Customers and Partners  on how to submit a feature request.

Cause

By default, Stitch grants the PUBLIC role access to schemas and objects it creates in Snowflake. This behavior often raises questions from users who are concerned about broad access permissions.

The reason Stitch does this is because it cannot assume which specific roles or users in your organization should have access to the data. Granting access to the PUBLIC role ensures that Stitch can write data successfully without making assumptions about your internal role structure.

This default behavior is not a requirement from Snowflake itself, but rather a design decision by Stitch to simplify initial setup and avoid permission-related sync failures.

If this approach does not align with your organization’s security policies, you may manually revoke access from the PUBLIC role after the initial sync. However, this step must be repeated each time a new integration runs or a new schema is created, which may not be scalable.

Snowflake supports granular permission control via the REVOKE command, allowing you to adjust access as needed:

🔗 REVOKE <privileges> … FROM ROLE | docs.snowflake.com

While this manual revocation process works, it requires ongoing attention. If tighter access control is a priority and manual intervention isn’t feasible, you may want to consider alternative destinations or workflows.

Environment

• Stitch 

Qlik Sense and Vulnerability “CVE-2025-7783” in NPM Library form-data

In mid-July 2025, a vulnerability was disclosed in the NPM library form-data (GitHub Security Advisory). Qlik became aware of this issue through its standard Secure Development Lifecycle (SDL) processes.

Following an internal review, Qlik R&D and Security teams identified that potentially vulnerable versions of the form-data library were included in some installations of Qlik Sense Enterprise for Windows. However, due to the specific way Qlik utilizes this library, the conditions required for exploitation are not met.

Although the vulnerability was determined to be non-exploitable within Qlik Sense, customers who prefer to upgrade to a version that includes the patched form-data library can do so by installing one of the following releases:

• May 2025 Patch 6
• November 2024 Patch 18 
• May 2024 Patch 24 

Note: An earlier version of this information was mistakenly published indicating that this CVE was directly related to Qlik Sense for Windows.

A third-party certificate was configured in the Qlik Sense Proxy, but is not being used.

The connection is not private" NET::ERR_CERT_COMMON_NAME_INVALID may be displayed on HUB access. 

Qlik Sense Enterprise on Windows uses self-signed and self-generated certificates to protect communication between services, as well as user web traffic to the hub and management console.  It is possible to use a third-party-issued SSL certificate to protect client web traffic. Using the self-signed certificate will cause a certificate warning to be displayed in the web browser (such as Google Chrome or Internet Explorer). 

If the third-party certificate for the Qlik Sense Proxy Service is not fully compatible with Qlik Sense or it does not have the correct attributes and cyphers, the Qlik Sense Repository Service will revert to using the default certificates. The following error may occur in the Proxy Security logs:

Example:  C:\ProgramData\Qlik\Sense\Log\Proxy\Trace\HOSTNAME_Security_Proxy.txt

No private key found for certificate 'CN=qliksense.domain.com' ([CERTIFICATE THUMBPRINT HERE]) Couldn't find a valid ssl certificate with thumbprint [CERTIFICATE THUMBPRINT HERE] Reverting to default Qlik Sense SSLCertificate Set certificate 'CN=qliksenseserver1.domain.com' ([CERTIFICATE THUMBPRINT HERE]) as SSL certificate presented to browser

Resolution:

In order for Qlik Sense Enterprise to correctly recognize the third-party certificate as valid, the certificate will have to meet the following requirements:

Note: Root and Intermediate CA certificates need to be correctly installed. Should any be missing, Qlik Sense proxy will not use the server certificate and will revert back to using the self-signed certificate instead.

Certificates that are known to work well with Qlik Sense have the following attributes:

• Certificates that are x509 version 3. More information including filename extensions under https://en.wikipedia.org/wiki/X.509 
• Use signature algorithm sha256RSA
• Use signature hash algorithm sha256
• Signed by a valid, and OS/browser configured , CA
• Are valid according to date restrictions (valid from/valid to)
• Key in format CryptoAPI (not in CNG)
• The certificate itself has to contain private key no matter what Qlik Sense version.

 Related Content:

How to: Change the certificate used by the Qlik Sense Proxy to a custom third party certificate 

 

While Qlik Cloud provides robust data connectivity options through the Data Movement Gateway, some organizations require additional controls to restrict access to the Qlik Cloud Talend platform itself, not only to data connections. 

While Qlik Cloud does not currently support full tenant-level access restriction via PrivateLink, it does offer:

• IP-based access control via Web Integrations
• Strong authentication and security policies
• Gateway-based PrivateLink support for data connectivity
• Cryptographically secure gateway communication

This article outlines these available options and limitations for securing tenant access at the platform level.

Content

• Does Qlik Cloud support IP Allowlist for tenant access?
• Are there network-level restrictions available for accessing the Qlik Cloud tenant?
• What are the available options for securing tenant access beyond standard authentication?
• Understanding Gateway Security Architecture
• Future Plans

Does Qlik Cloud support IP Allowlist for tenant access?

Yes. Qlik Cloud supports IP allowlisting through Web Integrations, which can be configured to restrict access to the tenant based on specific IP addresses.

See Managing web integrations for details.

Are there network-level restrictions available for accessing the Qlik Cloud tenant?

Qlik Talend Data Integration supports private connections for tenant-level access. Does Qlik Cloud support a similar, solution, such as Azure or AWS PrivateLink?

No, Qlik Cloud does not support Azure PrivateLink for tenant-level access in the same way Talend Cloud does.

• In Qlik Talend Data Integration, PrivateLink can be used to restrict access to the entire tenant.
• In Qlik Cloud, PrivateLink is supported only for data connectivity via a customer-managed gateway.
• The gateway acts as the endpoint for PrivateLink, but it does not restrict access to the Qlik Cloud web interface.
• See Support private connections in Qlik Talend Data Integration for details.

What are the available options for securing tenant access beyond standard authentication?

Qlik Cloud offers several security features for tenant access:

• Multi-Factor Authentication (MFA)
• OAuth
• Content Security Policy (CSP)
• API Keys
• Web Integrations (IP Allowlist)

See Securing the system.

Understanding Gateway Security Architecture

When using the Data Movement Gateway, Qlik Cloud ensures secure communication through a multi-step cryptographic process:

1. Key Generation & Registration:
   
   Upon installation, the gateway generates a private/public key pair and a key ID (kid). The public key and key ID are registered in Qlik Cloud by the tenant admin.
   
   
2. Secure WebSocket Establishment:
   
   
   1. The gateway initiates a TLS-secured WebSocket (WSS) connection to Qlik Cloud.
   2. During this handshake:
      
      
      • The gateway verifies QCS’s certificate.
      • Qlik Cloud verifies the JWT sent by the gateway, ensuring it includes the correct key ID and is signed with the gateway’s private key.
      • This confirms a cryptographic match to the registered public key and key ID.
        
        
3. Channel Key Derivation:
    
   • Both sides generate ECDH key pairs and exchange secrets.
   • A channel key is derived and used to encrypt all traffic over the WebSocket.
   • This key is re-derived upon reconnection or restart, ensuring session-level encryption.

This architecture ensures that all data movement operations are secure, authenticated, and encrypted end-to-end.

Future Plans

If full tenant isolation via PrivateLink is a critical requirement, please submit a feature request via Qlik Ideation.

Environment

• Qlik Cloud
• Qlik Talend Data Integration

Node.js comes bundled with Qlik Sense Enterprise on Windows. Its version depends on the Qlik Sense released currently installed.

How do I know which version of node.js is used by Qlik Sense?

You can verify the version of any of the third-party integrations Qlik Sense makes use of by:

• Using the Qlik Sense API and calling About Service API: thirdParty: Get, which returns details including information about copyright, version, licensing, and legal notices.
• Accessing the below URL in a browser, where qlikserver.domain.local is replaced with your Qlik Sense server hostname:
  

  https://qlikserver.domain.local/api/about/v1/thirdParty

How do I upgrade my version of node.js is used by Qlik Sense?

You may want to upgrade node.js, specifically in response to a security vulnerability. To do so, upgrade Qlik Sense Enterprise on Windows. When upgrading Qlik Sense, the currently installed node.exe will be replaced with the version Qlik Sense comes bundled with at this release.

Can I install or upgrade a separately installed instance of node.js?

Installing Qlik Sense installs node.exe side-by-side in the following location: C:\Program Files\Qlik\Sense\ServiceDispatcher\Node.

If you install node.js manually it will typically be installed in C:\Program Files\nodejs and the Windows environment variable will point to this location by default (i.e. running node -v to get the version will result in providing the version of node found in C:\Program Files\nodejs).

As Qlik Sense will not register any Windows environment variable for node.js, it will not tamper with any settings affecting already installed node.js instances. Therefore it is safe to upgrade your separate instance of Node.js.

Environment

• Qlik Sense Enterprise all versions

Related Content

Third-party and middleware software integrated with Qlik Sense Enterprise on Windows 

A deployed 8.0.1 Talend Administration Center instance is bundled with Apache Tomcat 9.0.91. This Tomcat version has been flagged as being impacted by CVE-2025-24813.

Resolution

At this time, CVE-2025-24813 does not apply to the Talend Administration Center (TAC) webapp. The reason Talend Administration Center is not impacted at this time, is because Tomcat installed with Talend Administration Center has disabled the "Writes enabled for the default servlet" option (disabled by default); A prerequisite for being suspectable to an attack would be to have that setting enabled.

While the Talend Administration Center webapp itself is not impacted by the CVE, if users desire to remove those vulnerable jars removed from security scans (whether due to preference, security audit, or other considerations), users have the following options to pursue:

• If the current Tomcat instance that hosts Talend Administration Center 8.0 is version 9.0.x, users can upgrade Tomcat to 9.0.100 or higher.
• If the current Tomcat is using 10.1.34 or a prior version, users can upgrade Tomcat to at least 10.1.40 (or higher) and patch the TAC instance to QTAC-969.

Please note if users plan to upgrade Talend Administration Center from TPS-5552 or earlier (Using Tomcat 9) to QTAC-969 or higher for TAC 8.0, the recommended path would be to  deploy both Apache Tomcat 10.1.40 (or higher) and Java 17 to address this release. (One recommended option is to completely reinstall Tomcat & Talend Administration Center with the new installer and point to the new DB).

If users manually deploy Tomcat 10.1.40 (or a later version) alongside the Talend Administration Center to an instance, and wish to verify that the aforementioned flag(s) are disabled, kindly inspect the "web.xml" file located in (<Root Folder>/apache-tomcat/conf). Proceed to approximately lines 124-135, and examine the following configuration for the "org.apache.catalina.servlets.DefaultServlet":

<servlet>
    <servlet-name>default</servlet-name>
    <servlet-class>
          org.apache.catalina.servlets.DefaultServlet
    </servlet-class>
    <init-param>
        <param-name>readonly</param-name>
        <param-value>false</param-value>
    </init-param>
    <load-on-startup>1<load-on-startup>
</servlet>

The example shown above illustrates that the value is set to "false", signifying that it is write-enabled. If users want that functionality disabled, change the "param-value" flag to false, save the changes, and subsequently restart Tomcat (either via the start/stop bat/sh script, or with the service).

Internal Investigation ID(s) 

QTAC-918

Environment

• Talend Administration Center 8.0.1

Erlang/Open Telecom Platform (OTP) has disclosed a critical security vulnerability: CVE-2025-32433.

Is Qlik NPrinting affected by CVE-2025-32433?

Resolution

Qlik NPrinting installs Erlang OTP as part of the RabbitMQ installation, which is essential to the correct functioning of the Qlik NPrinting services.

RabbitMQ does not use SSH, meaning the workaround documented in Unauthenticated Remote Code Execution in Erlang/OTP SSH is already applied. Consequently, Qlik NPrinting remains unaffected by CVE-2025-32433.

All future Qlik NPrinting versions from the 20th of May 2025 and onwards will include patched versions of OTP and fully address this vulnerability.

Environment

• Qlik NPrinting

Is Qlik Replicate affected by CVE-2025-29927? (Next.js Middleware Authorization Bypass Vulnerability (CVE-2025-29927) – Qualys ThreatPROTECT)

Resolution

None of Qlik's Data Integration products (Qlik Replicate, Qlik Compose, Qlik Enterprise Manager, Qlik Catalog) use next.js and are not exposed to CVE-2025-29927.

Review if other programs are installed that are affected and uninstall or upgrade them as required, such as PGAdmin.

Note that while Qlik Replicate uses the PostgreSQL driver when PostgreSQL is used as a source or target endpoint, PGAdmin does not need to be installed on the server. 

Environment

• Qlik Replicate

A virtual proxy which was configured to use Always Anonymous is not intended to be used for administration. While Qlik Sense will prompt for login when accessing the Qlik Sense Management Console (QMC), the Management Console cannot be navigated successfully.

Beginning with November 2023, access will fail with: 

An error occurred
The operation failed due to insufficient privileges

As well as: 

400
Bad Request

Previous version of Qlik Sense may succeed with the login but not allow navigation.

Resolution

Do not use a Virtual Proxy configured to use Always Anonymous as authentication method. Always have a Virtual Proxy ready which requires authentication. For information on how to create a new Virtual Proxy, see Qlik Sense: How to create a new Virtual Proxy.

If you have locked yourself out of the Qlik Sense Management Console by modifying the only available Virtual Proxy, change the enabled authentication method directly in the Qlik Sense QSR database. 

Manual steps to change the authentication method: 

1. Connect to the QSR using PGAdmin (see How to connect to the Qlik Sense Enterprise on Windows or Qlik NPrinting PostgreSQL database)
2. Open the VirtualProxyConfig table
3. In the row for your active Virtual Proxy, change the column AnonymousAccessMode value from 3 (Always Anonymous) to 0 (Requires Authentication)
4. Save the changes
5. Restart the database service

Cause 

A secure Qlik Sense Enterprise Management Console when anonymous access is required.

Internal Investigation ID(s) 

SHEND-1902

Environment

Qlik Sense November 2023 & Newer

If unable to access TAC using default credential (security@company.com/admin), you have forgotten your password.

You can reset it by following these steps:

1. Establish a connection to the TAC database.
2. In the TAC database, execute the following statement:

   UPDATE 'user' set 'password'=0x21232F297A57A5A743894A0E4A801FC3 where id =<userID>;​

   
   Note that `0x21...` corresponds to the encrypted password for "admin". To identify the <userID> associated with the user whose password you wish to update, execute this query: select id, login from user;
3. Using the new password, log in to Talend Administration Center once again.

Related Content 

Change the default password used to configure the TAC database

Environment

• Talend Administration Center 

Does Qlik have a defined security policy?

Qlik takes product security seriously. We have a dedicated team of security experts working on testing, hardening and securing our products.  We also work closely with external security companies, our customers and partners to ensure the security of our products is of the highest standard.  

Our Qlik Trust and Compliance Center provides details for compliance and security questions across all Qlik products. 

What do I do if I find a security vulnerability in a Qlik product?

Please report any security vulnerability concerns to Qlik Support. For an accurate and detailed evaluation of a potential security vulnerability, it is important to clearly describe the scenario in which a vulnerability has been exposed. This includes describing the steps for how security is compromised and what details can be exposed by an attacker.

Notice that generic test reports from 3rd auditing tools typically do not include detailed steps of vulnerability exposure in their security report. These reports commonly refer to potential risk-based patterns; they do not actually expose a vulnerability as part of their system evaluation. Consequently, this means that the default report details are not enough for Qlik to take any immediate action based on the raised concern. Please consult a third-party security auditor or local security expert for complete test case details before reporting a support case with Qlik. 

To enable qualified and efficient investigation and action by Qlik, please report each vulnerability concern as an individual support case with Qlik Support. This means that each concern raised in a 3rd party test report must be reported as a separate support case.

For each case, consider adding as much detail as possible, in line with the following items:

• Qlik product name
• Qlik product version
• Test case subject/name (if based on test report)
• Complete penetration test report (attach full report for reference)
• Name of the security tool used for testing
• Details of how to replicate the vulnerability
  • Step-by-step description of how to expose a vulnerability
  • Recording of reproduction
  • Supporting material, such as logs, traffic traces, or screenshots
• Vulnerability impact
  • Type of information exposed
  • Unauthorized access to content
• CVSS score if one is provided by a security auditor
• CWE (Common Weakness Enumeration) classification, if one is provided

After a recent scan by SecOps team, the same vulnerable files that were previously flagged have reemerged within the system. The vulnerability is rated as critical:

CVE-2020-9493 – Apache Log4j v1.2.17.0
Reference: NVD - CVE-2020-9493

The affected files have been identified in the following locations:

<Studio_Home>/addons/scripts/lucene_migration_tool/lib/lucene-4-8.0.0.jar
<Studio_Home>/addons/scripts/lucene_migration_tool/lib/lucene-8-8.0.0.jar

Cause

This issue arises solely when Talend Studio is installed via the Talend Installer, resulting in the creation of the 'lucene_migration_tool' folder, which contains lucene-4-8.0.0.jar and lucene-8-8.0.0.jar. These Jar files utilize Apache Log4j version 1.2.17.0.

Resolution

Please manually delete the 'lucene_migration_tool' folder from the directory located at '<Studio_Home>/addons/scripts/'. This migration tool is only useful when creating an index from a version lower than Talend Studio 7.2. For further details, please read this documentation page.

Kindly know that the 'lucene_migration_tool' folder will not be created in the new version of Talend Installer.

Internal Investigation ID(s)

SUPPORT-3978

TINSTL-238

Environment

• Talend Studio

Old versions of RabbitMQ include multiple vulnerabilities. This article covers:

• CVE-2020-5419
• CVE-2022-31008
• CVE-2017-4967
• CVE-2019-11291
• CVE-2017-4965

They do not impact Qlik NPrinting.

Qlik NPrinting 2023 versions and later use RabbitMQ 3.12, which is not affected by these vulnerabilities.

How can I verify the RabbitMQ version my Qlik NPrinting install uses?

1. Open the folder C:\Program Files\NPrintingServer
   
   
2. Find the folder named Rabbitmq_server-** 
   
   This will show the deployed version.
   
   Example: C:\Program Files\NPrintingServer\rabbitmq_server-3.12.10

Environment

• Qlik NPrinting