CVE-2026-8752

5.3 MEDIUM

A weakness has been identified in h2oai h2o-3 up to 7402

Published: 2026-05-17 · Last updated: 2026-05-19

Severity and scoring

CVSS: 5.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-266, CWE-284

Affected products

Vendor	Product
h2o	h2o

Description

A weakness has been identified in h2oai h2o-3 up to 7402. This vulnerability affects the function exec of the file h2o-core/src/main/java/water/rapids/ast/prims/misc/AstSetProperty.java of the component Rapids setproperty Primitive Handler. Executing a manipulation can lead to improper access controls. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-8752
[Other]https://vuldb.com/submit/810108
[Other]https://vuldb.com/vuln/364379
[Other]https://vuldb.com/vuln/364379/cti
[Other]https://vulnplus-note.wetolink.com/share/pyVa0GWPuAZE

Related CVEs

Same vendor

CVE-2026-8751 — A security flaw has been discovered in h2oai h2o-3 up to 7402 (7.3 HIGH)
CVE-2026-8750 — A vulnerability was identified in h2oai h2o-3 up to 7402 (5.3 MEDIUM)
CVE-2026-3960 — A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0... (9.8 CRITICAL)

Same CWE

CVE-2026-53520 — Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (6.5 MEDIUM)
CVE-2026-44783 — Discourse is an open-source discussion platform (5.4 MEDIUM)
CVE-2026-47182 — Frappe is a full-stack web application framework
CVE-2026-44976 — Frappe is a full-stack web application framework
CVE-2026-44208 — Frappe is a full-stack web application framework