Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
11Blast Radius
ecosystem impact- 20 maven packages depend on ai.h2o:h2o-core (20 direct, 0 indirect)
Ecosystem-wide dependent count for version 3.46.0.10.
DescriptionCVE.org
A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific dangerous parameters. An attacker can bypass these controls by switching the JDBC URL protocol to jdbc:postgresql: and exploiting PostgreSQL JDBC driver-specific parameters such as socketFactory and socketFactoryArg. This allows unauthenticated attackers to execute arbitrary code on the H2O-3 server with the privileges of the H2O-3 process. The issue is resolved in version 3.46.0.10.
AnalysisAI
Remote code execution in H2O-3 versions 3.46.0.9 and earlier allows unauthenticated attackers to execute arbitrary code via the /99/ImportSQLTable REST API by abusing PostgreSQL JDBC driver parameters that bypass an incomplete MySQL-only parameter blacklist. No active exploitation is recorded in CISA KEV and EPSS is low (0.19%), but a vendor patch is available and SSVC marks exploitation status as POC, indicating proof-of-concept-grade attacker capability against a network-reachable endpoint.
Technical ContextAI
H2O-3 is an open-source distributed machine learning platform from H2O.ai (CPE cpe:2.3:a:h2oai:h2oai/h2o-3) that exposes a REST API including /99/ImportSQLTable, which accepts JDBC connection URLs and uses water.jdbc.SQLManager to validate them. The root cause is CWE-94 (Code Injection): SQLManager.validateJdbcUrl maintained a denylist of dangerous JDBC parameters that only enumerated MySQL-specific options (autoDeserialize, queryInterceptors, allowLoadLocalInfile, etc.), so an attacker who switches the URL scheme from jdbc:mysql: to jdbc:postgresql: can supply PostgreSQL-driver-specific parameters such as socketFactory and socketFactoryArg, which the PostgreSQL JDBC driver instantiates as arbitrary Java classes (for example org.springframework.context.support.ClassPathXmlApplicationContext loading a remote XML bean definition), yielding code execution inside the H2O-3 JVM. The fix commit b9ae2d3c5220db2dc53753357a783e590364d044 extends the blacklist to include socketFactory, socketFactoryArg, sslfactory, sslfactoryarg, statementInterceptors, loggerLevel, and loggerFile.
RemediationAI
Vendor-released patch: H2O-3 3.46.0.10, which extends the SQLManager JDBC parameter blacklist to cover PostgreSQL-driver options (socketFactory, socketFactoryArg, sslfactory, sslfactoryarg, statementInterceptors, loggerLevel, loggerFile) per commit b9ae2d3c5220db2dc53753357a783e590364d044 - upgrade all H2O-3 nodes to 3.46.0.10 or later as the primary fix. Until upgrade, restrict network access to the H2O-3 REST API (default port 54321) so that only trusted clients can reach /99/ImportSQLTable, for example by binding the service to localhost or placing it behind an authenticating reverse proxy or VPN; the trade-off is that legitimate remote data-science clients will lose direct access and must route through the proxy. As an additional compensating control, block outbound network connections from the H2O-3 host to untrusted destinations to hinder the second-stage fetch of malicious XML/class payloads referenced by socketFactoryArg or loggerFile, accepting that this may break legitimate JDBC connectivity to remote databases. Advisory and patch details: https://huntr.com/bounties/6954fe04-b905-453f-8c53-205ac8377e0d and https://github.com/h2oai/h2o-3/commit/b9ae2d3c5220db2dc53753357a783e590364d044.
More in PostgreSQL
View allPostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow
The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve
## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin
Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al
A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25205
GHSA-qmcv-hh7c-3m56