CVE Catalog

CVE-2026-3960

Critical
Published: Translated: NVD NIST

Summary

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, allowing attackers to bypass these controls.

Risk Assessment

Attackers can remotely execute arbitrary code on the H2O-3 server with the privileges of the H2O-3 process, posing a serious security threat to the organization.

Recommendation

It is recommended to upgrade to version 3.46.0.10 to mitigate this vulnerability and implement additional security measures in the API.

Original NVD description (English source)

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific dangerous parameters. An attacker can bypass these controls by switching the JDBC URL protocol to jdbc:postgresql: and exploiting PostgreSQL JDBC driver-specific parameters such as socketFactory and socketFactoryArg. This allows unauthenticated attackers to execute arbitrary code on the H2O-3 server with the privileges of the H2O-3 process. The issue is resolved in version 3.46.0.10.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS