CVE-2026-8752

Name of the Vulnerable Software and Affected Versions h2oai h2o-3 versions prior to 7402

Description A weakness in the Rapids setproperty Primitive Handler allows remote attackers to perform manipulations that lead to improper access controls and remote code execution. This issue specifically affects the exec() function within the file h2o-core/src/main/java/water/rapids/ast/prims/misc/AstSetProperty.java.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.