CVE-2026-8751

Vulnerability

Overview

CVE-2026-8751 describes a pre-authentication insecure deserialization vulnerability in the H2O-3 machine learning platform. The flaw resides in the importBinaryModel function within h2o-core/src/main/java/hex/Model.java. By importing a crafted binary model, an attacker can restore a serialized reference to a custom_metric_func that points to an attacker-controlled JAR previously stored in the distributed key-value store (DKV). [1]

Exploitation

The attacker first uploads a malicious JAR to DKV via an unauthenticated PUT request, then trains a model that uses the JAR as a custom metric function (custom_metric_func=java:<jarKey>=<class>) and exports the model as a binary file. The binary model is then re-imported using an unauthenticated POST call to /99/Models.bin. During import, Keyed.readAll(ab) deserializes the attacker-controlled bytes, restoring the custom_metric_func reference without requiring authentication or any session token. [1]

Impact

When the imported model is subsequently used for scoring (prediction), the DkvClassLoader resolves the restored custom_metric_func, loads the attacker-controlled JAR from DKV, and instantiates the specified class. This enables arbitrary code execution on the H2O-3 server. The proof-of-concept shows that a malicious class can read server-side Java properties, such as sys.ai.h2o.audit.stage=2, confirming full remote code execution. An unauthenticated attacker can achieve a CVSS v3 score of 7.3 (High) by sending a single crafted request. [1]

Mitigation

The vendor (h2oai) was contacted but did not respond, and as of the publication date (May 2026) no patch has been released. Users must restrict network access to H2O-3 instances, disable the binary model import endpoint if possible, or apply strict network segmentation until an official fix is available. [1]