CRITICAL🇵🇱 Wersja polska

CVE-2026-3960

CVSS 9.8v3.0pub. 2026-04-23upd. 2026-05-19

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific dangerous parameters. An attacker can bypass these controls by switching the JDBC URL protocol to jdbc:postgresql: and exploiting PostgreSQL JDBC driver-specific parameters such as socketFactory and socketFactoryArg. This allows unauthenticated attackers to execute arbitrary code on the H2O-3 server with the privileges of the H2O-3 process. The issue is resolved in version 3.46.0.10.

🤖 AI Analysis
How it works

The security mechanism in H2O-3 applies a blacklist of dangerous JDBC parameters, however it is only directed against the MySQL driver. An attacker can bypass this control by changing the JDBC URL protocol from jdbc:mysql: to jdbc:postgresql:, and then exploiting parameters specific to the PostgreSQL JDBC driver, such as socketFactory and socketFactoryArg. The /99/ImportSQLTable endpoint does not require authentication, which means the exploit is available to anyone who can connect to the server. As a result, it is possible to load and execute arbitrary code in the context of the H2O-3 process.

Impact

An unauthenticated attacker can execute arbitrary code on the H2O-3 server with the privileges of the H2O-3 process, which may lead to complete server compromise, data theft, and further lateral movement in the network.

Mitigation & patch

H2O-3 should be updated to version 3.46.0.10, in which the issue has been resolved. If immediate update is not possible, it is recommended to restrict network access to the /99/ImportSQLTable endpoint using a firewall or network rules so that it is accessible only from trusted IP addresses.

Who is affected

H2O-3 version 3.46.0.9 and all earlier versions

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • H2o

    APP
    H2O
    < 3.46.0.10
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEAuth Bypass
CWE
References

Related vulnerabilities

CVE-2025-6544CRITICAL9.8PL ✓ten sam produkt

Deserializacja w H2O umożliwia RCE i odczyt plików systemowych

CVE-2024-10553CRITICAL9.8PL ✓ten sam produkt

RCE poprzez deserializację w REST API h2oai/h2o-3 (JDBC URL)

CVE-2024-45758CRITICAL9.1PL ✓ten sam produkt

H2O.ai H2O — RCE i odczyt plików przez niekontrolowany JDBC URL

CVE-2023-6016CRITICAL9.8ten sam produkt

An attacker is able to gain remote code execution on a server hosting the H2O dashboard through it's POJO mode...

CVE-2024-10550HIGH7.5ten sam produkt

A vulnerability in the `/3/ParseSetup` endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service...