h2oai h2o-3 Rapids setproperty Primitive AstSetProperty.java exec access control

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Description

A weakness has been identified in h2oai h2o-3 up to 7402. This vulnerability affects the function exec of the file h2o-core/src/main/java/water/rapids/ast/prims/misc/AstSetProperty.java of the component Rapids setproperty Primitive Handler. Executing a manipulation can lead to improper access controls. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Basic Information

ID CVE-2026-8752

Source VulDB

Published May 17, 2026 at 11:45

Affected Product

Vendor h2oai

Product h2o-3

Version 7402

Affected Versions h2oai h2o-3 7402

CWE Classification

CWE-284 CWE-266

References

{
    "lastseen": "",
    "description": "A weakness has been identified in h2oai h2o-3 up to 7402. This vulnerability affects the function exec of the file h2o-core/src/main/java/water/rapids/ast/prims/misc/AstSetProperty.java of the component Rapids setproperty Primitive Handler. Executing a manipulation can lead to improper access controls. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
    "published": "2026-05-17T11:45:11.583Z",
    "modified": "2026-05-17T11:45:11.583Z",
    "type": "cve",
    "title": "h2oai h2o-3 Rapids setproperty Primitive AstSetProperty.java exec access control",
    "source": "VulDB",
    "references": "https://vuldb.com/vuln/364379\nhttps://vuldb.com/vuln/364379/cti\nhttps://vuldb.com/submit/810108\nhttps://vulnplus-note.wetolink.com/share/pyVa0GWPuAZE",
    "id": "CVE-2026-8752",
    "bulletinFamily": "",
    "cwe": [
        "CWE-284",
        "CWE-266"
    ],
    "cvelist": null,
    "sourceData": "h2oai h2o-3 7402",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "h2o-3",
    "version": "7402",
    "vendor": "h2oai",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

h2oai h2o-3 Rapids setproperty Primitive AstSetProperty.java exec access control_CVE-2026-8752