Remote Code Execution Vulnerability in H2O-3 Produced by H2O.ai
CVE-2026-3960

5.9MEDIUM

Key Information:

Vendor: H2oai
Status: H2oai/h2o-3
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-3960?

A remote code execution vulnerability has been identified in H2O-3, specifically in the unauthenticated REST API endpoint /99/ImportSQLTable. This flaw arises from inadequate security controls in the parameter blacklist mechanism, which aims to filter out dangerous parameters specific to the MySQL JDBC driver. However, attackers can exploit this weakness by switching the JDBC URL protocol to jdbc:postgresql: to manipulate PostgreSQL JDBC driver-specific parameters, such as socketFactory and socketFactoryArg. As a result, this allows unauthenticated attackers to execute arbitrary code on the H2O-3 server, operating with the same privileges as the H2O-3 process. This issue has been addressed in version 3.46.0.10.

Affected Version(s)

h2oai/h2o-3 < 3.46.0.10

References

https://huntr.com/bounties/6954fe04-b905-453f-8c53-205ac8...

https://github.com/h2oai/h2o-3/commit/b9ae2d3c5220db2dc53...

CVSS V3.0

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Mar 11, 2026

CVE-2026-3960 Data

JSON

H2oai

What is CVE-2026-3960?

Affected Version(s)

References

CVSS V3.0

Timeline