Skip to main content

H2O-3 CVE-2026-3960

| EUVDEUVD-2026-25205 CRITICAL
Code Injection (CWE-94)
2026-04-23 @huntr_ai GHSA-qmcv-hh7c-3m56
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

11
Source Code Evidence Fetched
May 19, 2026 - 22:13 vuln.today
Analysis Updated
May 19, 2026 - 22:13 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 19, 2026 - 22:07 vuln.today
cvss_changed
Severity Changed
May 19, 2026 - 22:07 NVD
MEDIUM CRITICAL
CVSS changed
May 19, 2026 - 22:07 NVD
5.9 (MEDIUM) 9.8 (CRITICAL)
Patch released
Apr 24, 2026 - 14:50 nvd
Patch available
Patch available
Apr 23, 2026 - 11:01 EUVD
Analysis Generated
Apr 23, 2026 - 10:31 vuln.today
EUVD ID Assigned
Apr 23, 2026 - 10:00 euvd
EUVD-2026-25205
Analysis Generated
Apr 23, 2026 - 10:00 vuln.today
CVE Published
Apr 23, 2026 - 08:47 nvd
MEDIUM 5.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 20 maven packages depend on ai.h2o:h2o-core (20 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.46.0.10.

DescriptionCVE.org

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific dangerous parameters. An attacker can bypass these controls by switching the JDBC URL protocol to jdbc:postgresql: and exploiting PostgreSQL JDBC driver-specific parameters such as socketFactory and socketFactoryArg. This allows unauthenticated attackers to execute arbitrary code on the H2O-3 server with the privileges of the H2O-3 process. The issue is resolved in version 3.46.0.10.

AnalysisAI

Remote code execution in H2O-3 versions 3.46.0.9 and earlier allows unauthenticated attackers to execute arbitrary code via the /99/ImportSQLTable REST API by abusing PostgreSQL JDBC driver parameters that bypass an incomplete MySQL-only parameter blacklist. No active exploitation is recorded in CISA KEV and EPSS is low (0.19%), but a vendor patch is available and SSVC marks exploitation status as POC, indicating proof-of-concept-grade attacker capability against a network-reachable endpoint.

Technical ContextAI

H2O-3 is an open-source distributed machine learning platform from H2O.ai (CPE cpe:2.3:a:h2oai:h2oai/h2o-3) that exposes a REST API including /99/ImportSQLTable, which accepts JDBC connection URLs and uses water.jdbc.SQLManager to validate them. The root cause is CWE-94 (Code Injection): SQLManager.validateJdbcUrl maintained a denylist of dangerous JDBC parameters that only enumerated MySQL-specific options (autoDeserialize, queryInterceptors, allowLoadLocalInfile, etc.), so an attacker who switches the URL scheme from jdbc:mysql: to jdbc:postgresql: can supply PostgreSQL-driver-specific parameters such as socketFactory and socketFactoryArg, which the PostgreSQL JDBC driver instantiates as arbitrary Java classes (for example org.springframework.context.support.ClassPathXmlApplicationContext loading a remote XML bean definition), yielding code execution inside the H2O-3 JVM. The fix commit b9ae2d3c5220db2dc53753357a783e590364d044 extends the blacklist to include socketFactory, socketFactoryArg, sslfactory, sslfactoryarg, statementInterceptors, loggerLevel, and loggerFile.

RemediationAI

Vendor-released patch: H2O-3 3.46.0.10, which extends the SQLManager JDBC parameter blacklist to cover PostgreSQL-driver options (socketFactory, socketFactoryArg, sslfactory, sslfactoryarg, statementInterceptors, loggerLevel, loggerFile) per commit b9ae2d3c5220db2dc53753357a783e590364d044 - upgrade all H2O-3 nodes to 3.46.0.10 or later as the primary fix. Until upgrade, restrict network access to the H2O-3 REST API (default port 54321) so that only trusted clients can reach /99/ImportSQLTable, for example by binding the service to localhost or placing it behind an authenticating reverse proxy or VPN; the trade-off is that legitimate remote data-science clients will lose direct access and must route through the proxy. As an additional compensating control, block outbound network connections from the H2O-3 host to untrusted destinations to hinder the second-stage fetch of malicious XML/class payloads referenced by socketFactoryArg or loggerFile, accepting that this may break legitimate JDBC connectivity to remote databases. Advisory and patch details: https://huntr.com/bounties/6954fe04-b905-453f-8c53-205ac8377e0d and https://github.com/h2oai/h2o-3/commit/b9ae2d3c5220db2dc53753357a783e590364d044.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Share

CVE-2026-3960 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy