Skip to main content

h2o-3 CVE-2026-8750

| EUVDEUVD-2026-30694 MEDIUM
Information Exposure (CWE-200)
2026-05-17 VulDB GHSA-2g37-rjvj-534q
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 17, 2026 - 11:30 vuln.today
CVSS changed
May 17, 2026 - 11:22 NVD
5.3 (MEDIUM) 5.5 (MEDIUM)

DescriptionCVE.org

A vulnerability was identified in h2oai h2o-3 up to 7402. Affected by this issue is the function importFiles of the file h2o-core/src/main/java/water/persist/PersistNFS.java of the component ImportFile API. Such manipulation leads to information disclosure. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Information disclosure in h2oai h2o-3 through version 7402 allows remote unauthenticated attackers to read arbitrary files from the server filesystem via the ImportFile API endpoint. The vulnerability resides in the importFiles function of PersistNFS.java and is confirmed actively exploited with publicly available exploit code (CVSS:4.0 E:P). Despite early vendor notification, h2oai has not responded or issued a patch, leaving deployments at risk of credential theft, source code exposure, or configuration file access.

Technical ContextAI

h2o-3 is an open-source machine learning platform written in Java. The vulnerability exists in water.persist.PersistNFS.importFiles() within h2o-core, which handles file import operations through the ImportFile API. This component is designed to load datasets from networked filesystems but fails to properly validate or restrict file paths. The root cause is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating insufficient access controls on file system operations. The CVSS vector confirms network-based exploitation (AV:N) with low complexity (AC:L) requiring no authentication (PR:N) or user interaction (UI:N), targeting confidentiality only (VC:L with no integrity or availability impact).

RemediationAI

No vendor-released patch exists at time of analysis despite early disclosure (vendor non-responsive per VulDB submission 810105). Immediate compensating controls required: (1) Restrict network access to h2o-3 API endpoints using firewall rules or reverse proxy authentication-allow only trusted IP ranges and authenticated users, though this increases operational overhead for legitimate data science workflows. (2) Deploy h2o-3 behind VPN or private network segments isolated from internet exposure-limits usability for remote teams. (3) Implement application-layer filtering to block or sanitize path traversal sequences in ImportFile API requests-requires custom middleware and may break legitimate import functionality if paths contain '..' legitimately. (4) Monitor access logs for ImportFile API calls with suspicious file paths (e.g., /etc/passwd, .ssh/, .aws/, config files)-detection-only, does not prevent exploitation. (5) If feasible, disable the ImportFile API entirely and use alternative data ingestion methods-eliminates attack surface but requires workflow changes. Exploit details available at https://vulnplus-note.wetolink.com/share/wWjmsfKHRJi3 should inform detection rule creation. Organizations must accept residual risk or migrate to alternative ML platforms until h2oai provides an official fix.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-8750 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy