KNIME Business Hub Hit by Critical Bugs, Including Hard-Coded Password and XSS Flaws
do son 
A recent security advisory from KNIME details several vulnerabilities affecting the KNIME Business Hub, a customer-managed KNIME Hub instance that provides access to Hub resources and allows for customization and access management. The advisory highlights the potential risks and the necessary updates to mitigate these issues.
Cross-Site Scripting Vulnerabilities (CVE-2025-3019)
KNIME Business Hub is susceptible to cross-site scripting (XSS) vulnerabilities in its web pages. The advisory warns that if a user interacts with a malicious link or web page, arbitrary JavaScript code may be executed under that user’s permissions. This could lead to the loss of information or unauthorized modification of data.
According to the advisory, these vulnerabilities are due to a bug in the nuxt-security module. KNIME strongly recommends updating to KNIME Business Hub version 1.13.3 or 1.12.4 or later, as there are no other workarounds.
Ingress-nginx Vulnerability (CVE-2025-2787)
The KNIME Business Hub is also affected by the Ingress-nginx CVE-2025-1974 vulnerability, also known as Ingress Nightmare. This vulnerability in the ingress-nginx component could potentially allow for a complete takeover of the Kubernetes cluster in the worst-case scenario.
The advisory notes that while the affected component is only reachable from within the cluster and requires an authenticated user, the severity of the vulnerability within the KNIME Business Hub context is still significant. Users are directed to the KNIME website for further details on this vulnerability.
Hard-coded Password for Object Store (CVE-2025-2402)
A particularly critical vulnerability exists due to a hard-coded, non-random password for the object store (minio) in all KNIME Business Hub versions, except for the patched versions. An unauthenticated remote attacker who possesses this password could read and manipulate swapped jobs, as well as in- and output data of active jobs.
The advisory further warns that an attacker could also cause a denial-of-service of most KNIME Business Hub functionality by directly writing large amounts of data to the object store. Similar to the other vulnerabilities, KNIME strongly advises updating to the patched versions (1.13.2, 1.12.3, 1.11.3, or 1.10.3 or later) to address this issue.
