CVE-2026-3960— Remote Code Execution in h2oai/h2o-3

Remote Code Execution in h2oai/h2o-3

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific dangerous parameters. An attacker can bypass these controls by switching the JDBC URL protocol to jdbc:postgresql: and exploiting PostgreSQL JDBC driver-specific parameters such as socketFactory and socketFactoryArg. This allows unauthenticated attackers to execute arbitrary code on the H2O-3 server with the privileges of the H2O-3 process. The issue is resolved in version 3.46.0.10.

N/A

对生成代码的控制不恰当(代码注入)

H2O 代码注入漏洞

H2O是H2O.ai开源的一个用于分布式、可扩展机器学习的内存平台。 H2O 3.46.0.9及之前版本存在代码注入漏洞，该漏洞源于参数黑名单机制安全控制不足，攻击者可通过切换JDBC URL协议并利用PostgreSQL JDBC驱动特定参数绕过控制，可能导致未经身份验证的攻击者执行任意代码。

N/A

N/A