CVE-2026-8751

Name of the Vulnerable Software and Affected Versions h2oai h2o-3 versions prior to 7402

Description A flaw in the JAR Handler component allows remote attackers to trigger deserialization by manipulating the importBinaryModel() function within the h2o-core/src/main/java/hex/Model.java file. Deserialization is a process where data is converted from a binary format back into an object, which can be exploited to execute unauthorized code if the input is not properly validated.

Recommendations Update to a version later than 7402. As a temporary workaround, restrict access to the importBinaryModel() function to minimize the risk of exploitation.