VYPR
← All advisories
Medium severity5.3NVD Advisory· Published May 17, 2026

CVE-2026-8752

CVE-2026-8752

Description

A weakness has been identified in h2oai h2o-3 up to 7402. This vulnerability affects the function exec of the file h2o-core/src/main/java/water/rapids/ast/prims/misc/AstSetProperty.java of the component Rapids setproperty Primitive Handler. Executing a manipulation can lead to improper access controls. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An unauthenticated remote attacker can invoke the Rapids setproperty primitive in H2O-3 to enable disabled POJO import and execute arbitrary POJO code, bypassing built-in security controls.

Vulnerability

Overview

CVE-2026-8752 describes a pre-authentication logic flaw in H2O-3 (up to version 7402) within the Rapids setproperty primitive handler, located in h2o-core/src/main/java/water/rapids/ast/prims/misc/AstSetProperty.java. The setproperty primitive is intended for internal debugging use only, but the publicly exposed POST /99/Rapids endpoint allows unauthenticated remote callers to invoke it. This enables an attacker to write arbitrary system properties across all cluster nodes without any authentication [1].

Exploitation

Method

The attack exploits a bypass of the product's own security control. H2O-3 blocks POJO model import by default unless the system property sys.ai.h2o.pojo.import.enabled is explicitly set to true; when disabled, importing a POJO throws a SecurityException stating that POJO import is disabled due to security risk. An unauthenticated attacker can circumvent this protection in three steps: upload a malicious but valid POJO model source file, attempt the import (which correctly fails), then call POST /99/Rapids with ast=(setproperty 'sys.ai.h2o.pojo.import.enabled' 'true') to enable the disabled feature. Retrying the POJO import then succeeds [1].

Impact

Once the POJO is imported, it is compiled and instantiated on the server, and its constructor logic executes within the cluster. A proof-of-concept demonstrated that an attacker-controlled POJO can modify cluster-wide runtime state—for example, setting sys.ai.h2o.session.allow_properties=false, which changes the response of GET /3/InitID from session_properties_allowed=true to session_properties_allowed=false. This confirms that the attacker not only bypassed a default-disabled security gate but also achieved arbitrary code execution through the imported POJO and altered persistent cluster configuration [1].

Mitigation

Status

The vendor was contacted early about this disclosure but did not respond. At the time of publication, no official patch or advisory has been released for H2O-3. The exploit has been made publicly available, increasing the risk of active exploitation. Organizations running affected versions should consider network-level access controls to restrict exposure of the Rapids endpoint until a vendor-supplied fix becomes available.

References
  1. H2O-3 Pre-Auth Logic Flaw in Rapids setproperty Lets Unauthenticated Attackers Enable POJO Import and Execute Arbitrary POJO Code

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • H2oai/H2o 3inferred2 versions
    <=7402+ 1 more
    • (no CPE)range: <=7402
    • (no CPE)range: <=7402

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.