CVE-2026-8750

Name of the Vulnerable Software and Affected Versions h2oai h2o-3 versions prior to 7402

Description A remote information disclosure issue exists within the ImportFile API. The flaw is located in the importFiles() function of the h2o-core/src/main/java/water/persist/PersistNFS.java file, allowing an attacker to remotely access sensitive information.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting the use of the importFiles() function within the ImportFile API to minimize the risk of exploitation.