CVE-2026-8752
MEDIUMh2oai h2o-3 Rapids setproperty Primitive AstSetProperty.java exec access control
Title source: cnaDescription
A weakness has been identified in h2oai h2o-3 up to 7402. This vulnerability affects the function exec of the file h2o-core/src/main/java/water/rapids/ast/prims/misc/AstSetProperty.java of the component Rapids setproperty Primitive Handler. Executing a manipulation can lead to improper access controls. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
References (4)
Core 4
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-364379 | h2oai h2o-3 Rapids setproperty Primitive AstSetProperty.java exec access control
https://vuldb.com/vuln/364379
Signature, Permissions Required signature
permissions-required
VDB-364379 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/364379/cti
Third Party Advisory third-party-advisory
Submit #810108 | H2O-3 latest pre-auth logic flaw
https://vuldb.com/submit/810108
Exploit exploit
https://vulnplus-note.wetolink.com/share/pyVa0GWPuAZE
Scores
CVSS v3
5.3
EPSS
0.0031
EPSS Percentile
22.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-266
CWE-284
Status
published
Products (2)
h2o/h2o
< 7402
h2oai/h2o-3
7402
Published
May 17, 2026
Tracked Since
May 17, 2026