H2oai H2o 3
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in H2oai H2o 3.
By the Year
In 2026 there have been 3 vulnerabilities in H2oai H2o 3 with an average score of 6.0 out of ten.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 3 | 5.97 |
It may take a day or so for new H2o 3 vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent H2oai H2o 3 Security Vulnerabilities
H2O-3 Rapids SetProperty Improper Access Control Vulnerability
CVE-2026-8752
5.3 - Medium
- May 17, 2026
A weakness has been identified in h2oai h2o-3 up to 7402. This vulnerability affects the function exec of the file h2o-core/src/main/java/water/rapids/ast/prims/misc/AstSetProperty.java of the component Rapids setproperty Primitive Handler. Executing a manipulation can lead to improper access controls. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Authorization
Remote Deserialization in h2o-3 importBinaryModel (JAR Handler)
CVE-2026-8751
7.3 - High
- May 17, 2026
A security flaw has been discovered in h2oai h2o-3 up to 7402. This affects the function importBinaryModel of the file h2o-core/src/main/java/hex/Model.java of the component JAR Handler. Performing a manipulation results in deserialization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Marshaling, Unmarshaling
h2o-3 ImportFile API Info Disclosure via PersistNFS
CVE-2026-8750
5.3 - Medium
- May 17, 2026
A vulnerability was identified in h2oai h2o-3 up to 7402. Affected by this issue is the function importFiles of the file h2o-core/src/main/java/water/persist/PersistNFS.java of the component ImportFile API. Such manipulation leads to information disclosure. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Information Disclosure
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for H2oai H2o 3 or by H2oai? Click the Watch button to subscribe.
