CVE-2026-3960: CWE-94 Improper Control of Generation of Code in h2oai h2oai/h2o-3
A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific dangerous parameters. An attacker can bypass these controls by switching the JDBC URL protocol to jdbc:postgresql: and exploiting PostgreSQL JDBC driver-specific parameters such as socketFactory and socketFactoryArg. This allows unauthenticated attackers to execute arbitrary code on the H2O-3 server with the privileges of the H2O-3 process. The issue is resolved in version 3.46.0.10.
AI Analysis
Technical Summary
This vulnerability in H2O-3 arises from improper control of code generation (CWE-94) in the /99/ImportSQLTable REST API endpoint. The security mechanism attempts to block dangerous parameters for MySQL JDBC but fails to account for PostgreSQL JDBC driver-specific parameters, allowing attackers to bypass restrictions by switching the JDBC URL protocol to jdbc:postgresql: and specifying parameters like socketFactory and socketFactoryArg. This leads to unauthenticated remote code execution on the server running H2O-3 with the application's privileges. The issue is fixed in version 3.46.0.10.
Potential Impact
An unauthenticated attacker can remotely execute arbitrary code on the H2O-3 server with the same privileges as the H2O-3 process. This can lead to full compromise of the affected system. The CVSS v3.0 base score is 5.9, indicating medium severity, with network attack vector, high attack complexity, no privileges required, no user interaction, and impact limited to availability (denial of service or disruption).
Mitigation Recommendations
Upgrade H2O-3 to version 3.46.0.10 or later, where this vulnerability is resolved. Since the vendor advisory or patch links are not explicitly provided, verify the upgrade availability from the official H2O-3 release notes or vendor site. No other mitigations are specified. Patch status is not explicitly confirmed in the input data, so check the vendor advisory for current remediation guidance.
CVE-2026-3960: CWE-94 Improper Control of Generation of Code in h2oai h2oai/h2o-3
Description
A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific dangerous parameters. An attacker can bypass these controls by switching the JDBC URL protocol to jdbc:postgresql: and exploiting PostgreSQL JDBC driver-specific parameters such as socketFactory and socketFactoryArg. This allows unauthenticated attackers to execute arbitrary code on the H2O-3 server with the privileges of the H2O-3 process. The issue is resolved in version 3.46.0.10.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in H2O-3 arises from improper control of code generation (CWE-94) in the /99/ImportSQLTable REST API endpoint. The security mechanism attempts to block dangerous parameters for MySQL JDBC but fails to account for PostgreSQL JDBC driver-specific parameters, allowing attackers to bypass restrictions by switching the JDBC URL protocol to jdbc:postgresql: and specifying parameters like socketFactory and socketFactoryArg. This leads to unauthenticated remote code execution on the server running H2O-3 with the application's privileges. The issue is fixed in version 3.46.0.10.
Potential Impact
An unauthenticated attacker can remotely execute arbitrary code on the H2O-3 server with the same privileges as the H2O-3 process. This can lead to full compromise of the affected system. The CVSS v3.0 base score is 5.9, indicating medium severity, with network attack vector, high attack complexity, no privileges required, no user interaction, and impact limited to availability (denial of service or disruption).
Mitigation Recommendations
Upgrade H2O-3 to version 3.46.0.10 or later, where this vulnerability is resolved. Since the vendor advisory or patch links are not explicitly provided, verify the upgrade availability from the official H2O-3 release notes or vendor site. No other mitigations are specified. Patch status is not explicitly confirmed in the input data, so check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- @huntr_ai
- Date Reserved
- 2026-03-11T12:52:45.232Z
- Cvss Version
- 3.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e9eb8887115cfb68f9fc46
Added to database: 4/23/2026, 9:51:04 AM
Last enriched: 4/23/2026, 10:06:49 AM
Last updated: 4/24/2026, 6:09:06 AM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.