Talend JobServer RCE via unauth JMX Monitoring Port
CVE-2026-6264 Published on April 14, 2026
Critical Security fix for the Talend JobServer and Talend Runtime
A critical vulnerability in the Talend JobServer and Talend Runtime allows unauthenticated remote code execution via the JMX monitoring port. The attack vector is the JMX monitoring port of the Talend JobServer. The vulnerability can be mitigated for the Talend JobServer by requiring TLS client authentication for the monitoring port; however, the patch must be applied for full mitigation. For Talend ESB Runtime, the vulnerability can be mitigated by disabling the JobServer JMX monitoring port, which is disabled by default from the R2024-07-RT patch.
Products Associated with CVE-2026-6264
stack.watch emails you whenever new vulnerabilities are published in Talend Jobserver or Talend Esb Runtime. Just hit a watch button to start following.
Affected Versions
Talend JobServer:- Version 8.0 and below TPS-6017 is affected.
- Version 7.3 and below TPS-6018 is affected.
- Version 8.0 and below 8.0.1.R2026-01-RT is affected.
- Version 7.3 and below 7.3.1-R2026-01 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.