CVE-2026-8750 Overview
CVE-2026-8750 is an information disclosure vulnerability in h2oai h2o-3 through version 7402. The flaw resides in the importFiles function within h2o-core/src/main/java/water/persist/PersistNFS.java, part of the ImportFile API component. A remote attacker can manipulate the affected function to disclose information from the host system without authentication or user interaction. The exploit is publicly available, increasing the likelihood of opportunistic abuse. According to the disclosure, the vendor was contacted but did not respond.
Critical Impact
Unauthenticated remote attackers can leverage the ImportFile API to disclose sensitive file contents from systems running vulnerable h2o-3 deployments.
Affected Products
- h2oai h2o-3 versions up to and including 7402
- Deployments exposing the ImportFile API over the network
- Java component h2o-core containing PersistNFS.java
Discovery Timeline
- 2026-05-17 - CVE-2026-8750 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-8750
Vulnerability Analysis
The vulnerability resides in the importFiles function of PersistNFS.java in the h2o-core module. This function is invoked through the ImportFile API, which allows clients to load datasets from file paths accessible to the h2o-3 server process. Manipulation of the file path input leads to disclosure of information that should not be exposed to remote callers. The weakness is categorized as [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor.
The ImportFile API is intended for loading machine learning datasets but does not adequately restrict the scope of files it will read. Because h2o-3 deployments commonly expose the REST API for data science workflows, the function becomes reachable from any host able to communicate with the cluster.
Root Cause
The root cause is insufficient validation of file path arguments passed to importFiles. The function operates on paths supplied by remote callers and returns file contents without verifying that the requesting client is authorized to access them. h2o-3 ships without authentication enabled by default, which amplifies the exposure.
Attack Vector
The attack is executed remotely over the network. An attacker sends a crafted request to the ImportFile API endpoint specifying a target file path on the h2o-3 host. The server reads the requested resource and returns its contents in the API response. No privileges or user interaction are required to complete the attack.
See the VulDB vulnerability record for additional technical context. No verified proof-of-concept code is included here.
Detection Methods for CVE-2026-8750
Indicators of Compromise
- Unexpected HTTP requests to h2o-3 REST endpoints invoking ImportFile or importFiles actions
- API requests referencing file paths outside expected dataset directories, such as /etc/, /root/, or user home directories
- Outbound responses from h2o-3 nodes containing unusually large or sensitive file payloads
Detection Strategies
- Inspect h2o-3 access logs for ImportFile API calls with suspicious path parameters
- Deploy network monitoring rules that flag requests to h2o-3 listener ports referencing system file paths
- Correlate ImportFile activity with source IP reputation and authentication state of the cluster
Monitoring Recommendations
- Forward h2o-3 application logs to a centralized SIEM for retention and correlation
- Alert on any access to the ImportFile API from sources outside the trusted data science network segment
- Baseline normal dataset import paths and alert on deviations from that baseline
How to Mitigate CVE-2026-8750
Immediate Actions Required
- Restrict network access to h2o-3 REST API endpoints using firewall rules or security groups
- Place h2o-3 clusters behind an authenticated reverse proxy that enforces access control on ImportFile calls
- Audit existing h2o-3 deployments for exposure to untrusted networks and remediate any public exposure
Patch Information
At the time of publication, no vendor patch has been released. The disclosure notes that the vendor was contacted but did not respond. Monitor the h2oai h2o-3 project for future security releases addressing this issue.
Workarounds
- Run h2o-3 with operating system user accounts that have minimal file system read permissions
- Enable h2o-3 authentication features such as Kerberos, LDAP, or hash-file login to require credentials on API calls
- Isolate h2o-3 clusters on dedicated network segments accessible only to authorized analytics workstations
- Disable or proxy the ImportFile API if local file imports are not required for production workloads
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
