Vulnerabilities ›

CVE-2026-8752

Medium

CWE-266 — Weakness Type

                    Published: May 17, 2026                      ·  Modified: May 20, 2026                      ·  Source: NVD                

CVSS v3

5.3

🔗 NVD Official

📄 Description (English)

A weakness has been identified in h2oai h2o-3 up to 7402. This vulnerability affects the function exec of the file h2o-core/src/main/java/water/rapids/ast/prims/misc/AstSetProperty.java of the component Rapids setproperty Primitive Handler. Executing a manipulation can lead to improper access controls. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

🤖 AI Executive Summary

CVE-2026-8752 is a medium-severity vulnerability in H2O-3 up to version 7402 affecting the Rapids setproperty primitive handler, allowing improper access control through remote manipulation of the exec function. The vulnerability stems from inadequate access controls in AstSetProperty.java and has public exploit code available.

📄 Description (Arabic)

تؤثر هذه الثغرة على معالج Rapids setproperty في H2O-3 وتسمح بالوصول غير المصرح به من خلال التلاعب بدالة exec. يمكن استغلال الثغرة عن بعد ويتوفر لها رمز استغلال عام.

🤖 ملخص تنفيذي (AI)

This vulnerability in H2O-3 allows remote attackers to bypass access controls through the Rapids setproperty handler, potentially affecting organizations using H2O for machine learning and data analytics. The availability of public exploits increases the risk of exploitation against Saudi organizations.

🤖 AI Intelligence Analysis Analyzed: May 29, 2026 06:41

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: medium

🏢 Affected Saudi Sectors

banking energy government healthcare

🎯 MITRE ATT&CK Techniques

T1078 T1548 T1190

⚖️ Saudi Risk Score (AI)

6.0

/ 10.0

🔧 Remediation Steps (English)

Upgrade H2O-3 to a patched version beyond 7402 immediately. Implement network segmentation to restrict access to H2O instances. Apply principle of least privilege for user accounts accessing H2O. Monitor and audit all setproperty operations. Disable Rapids functionality if not required.

🔧 خطوات المعالجة (العربية)

قم بترقية H2O-3 إلى إصدار مصحح بعد الإصدار 7402 فوراً. طبق تقسيم الشبكة لتقييد الوصول إلى مثيلات H2O. طبق مبدأ الامتيازات الأقل للحسابات التي تصل إلى H2O. راقب وتدقيق جميع عمليات setproperty. عطل وظيفة Rapids إذا لم تكن مطلوبة.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1.1 5.1.2 5.2.1

🔵 SAMA CSF

AC-2 AC-3 AC-6

🟡 ISO 27001:2022

A.9.1.1 A.9.2.1 A.9.4.1

🔗 References & Sources 4

🔗

https://vuldb.com/submit/810108

cna@vuldb.com

Third Party Advisory VDB Entry

🔗

https://vuldb.com/vuln/364379

cna@vuldb.com

Third Party Advisory VDB Entry

🔗

https://vuldb.com/vuln/364379/cti

cna@vuldb.com

Permissions Required VDB Entry

🔗

https://vulnplus-note.wetolink.com/share/pyVa0GWPuAZE

cna@vuldb.com

Broken Link

📦 Affected Products / CPE 1 entries

h2o:h2o

📊 CVSS Score

5.3

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityN — None / Network

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score5.3

CWECWE-266

EPSS0.08%

Exploit No

Patch ✗ No

Published 2026-05-17

Source Feed nvd

🇸🇦 Saudi Risk Score

6.0

/ 10.0 — Saudi Risk

Priority: MEDIUM

🏷️ Tags

CWE-266

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-8752

Introduce Yourself

Sign In Required