CVE-2026-8752 Overview
CVE-2026-8752 is an improper access control vulnerability in h2oai h2o-3 up to version 7402. The flaw resides in the exec function of h2o-core/src/main/java/water/rapids/ast/prims/misc/AstSetProperty.java, part of the Rapids setproperty Primitive Handler. Remote attackers can manipulate the handler to bypass access controls without authentication or user interaction. The exploit is publicly available, increasing exposure risk. The vendor was contacted but did not respond to the disclosure.
Critical Impact
Remote, unauthenticated attackers can manipulate the Rapids setproperty primitive to bypass access controls on affected h2o-3 deployments, with public exploit code available.
Affected Products
- h2oai h2o-3 versions up to and including 7402
- Component: Rapids setproperty Primitive Handler (AstSetProperty.java)
- Deployments exposing the h2o-3 REST/Rapids interface to the network
Discovery Timeline
- 2026-05-17 - CVE-2026-8752 published to the National Vulnerability Database
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-8752
Vulnerability Analysis
The vulnerability exists in the Rapids expression engine of h2o-3, an open source machine learning platform. The exec method of AstSetProperty.java implements the Rapids setproperty primitive, which writes runtime properties used by the h2o cluster. The handler does not enforce sufficient access controls before applying property modifications. An attacker reachable over the network can invoke this primitive and modify properties they should not be authorized to change. Because Rapids expressions are processed by the h2o cluster service, this exposes configuration state to remote, unauthenticated actors. The weakness is classified under [CWE-266] Incorrect Privilege Assignment.
Root Cause
The exec function in AstSetProperty.java accepts and applies property changes without validating that the caller holds the privileges required to mutate cluster-level configuration. The Rapids primitive treats incoming requests as trusted, omitting the authorization check expected for state-changing operations. This design issue allows callers to influence runtime properties that downstream code assumes were set by privileged operators.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted Rapids expression that invokes the setproperty primitive against an exposed h2o-3 endpoint. The handler executes the property mutation, altering cluster state. Public exploit code lowers the skill barrier for opportunistic exploitation against internet-exposed instances. The vulnerability mechanism is described in the VulDB Vulnerability #364379 advisory; no verified proof-of-concept code is reproduced here.
Detection Methods for CVE-2026-8752
Indicators of Compromise
- Rapids expressions in h2o-3 request logs containing setproperty invocations from unexpected source addresses
- Unexplained changes to h2o cluster runtime properties without a corresponding administrative action
- HTTP requests to the h2o REST endpoint (default port 54321) containing AstSetProperty references
Detection Strategies
- Inspect h2o-3 access logs for /3/Rapids requests carrying setproperty AST nodes originating outside the management network
- Alert on any access to the h2o-3 service from non-allowlisted client addresses
- Correlate property change events with authenticated administrator sessions to surface unauthorized mutations
Monitoring Recommendations
- Forward h2o-3 server logs to a centralized logging platform and retain Rapids request payloads for analysis
- Establish a baseline of expected Rapids primitives invoked by data science workflows and flag deviations
- Monitor network flows to TCP/54321 (and any custom h2o ports) for traffic crossing trust boundaries
How to Mitigate CVE-2026-8752
Immediate Actions Required
- Remove h2o-3 instances from direct internet exposure and place them behind authenticated reverse proxies or VPN
- Restrict network access to the h2o-3 REST and Rapids endpoints to trusted data science workstations only
- Audit recent Rapids activity for unauthorized setproperty invocations and review cluster property state
Patch Information
As of the published advisory, the vendor was contacted early but did not respond to the disclosure, and no fixed version has been identified. Operators should monitor the h2oai h2o-3 GitHub repository for updates and apply any vendor-issued patches once available. Until a fix is published, treat all h2o-3 deployments at version 7402 and below as vulnerable.
Workarounds
- Enforce network-layer access control lists so only authorized analyst workstations can reach the h2o-3 service
- Run h2o-3 behind an authenticating proxy that rejects unauthenticated Rapids requests
- Disable or block client access to the setproperty primitive at the proxy layer where feasible
- Operate h2o-3 clusters inside isolated VPCs or namespaces with no inbound internet routing
# Configuration example: restrict h2o-3 to a bind address and firewall the port
# Bind h2o-3 to an internal interface only
java -jar h2o.jar -ip 10.0.0.10 -port 54321
# Linux iptables: allow only an analyst subnet to reach the Rapids endpoint
iptables -A INPUT -p tcp --dport 54321 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 54321 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
