CVE-2026-8751 H2o CVE debrief

Who should care

Security teams, platform owners, and MLOps operators running h2oai h2o-3 up to 7402, especially if binary model import features are exposed to users, APIs, automation, or other untrusted sources.

Technical summary

The supplied CVE record and NVD metadata point to a remote deserialization weakness in the importBinaryModel path of h2o-core/src/main/java/hex/Model.java, associated with JAR handling. The vulnerability is mapped to CWE-502 and CWE-20 in the source metadata, and the CVSS vector indicates network attackability with no privileges or user interaction required. The CVE description also states that public exploit code exists, which raises operational risk even though no remediation details are provided in the corpus.

Defensive priority

Medium severity on paper, but higher operational priority if the affected import path is reachable from untrusted sources or any internet-facing service. Public exploit availability and lack of vendor response increase the need for immediate containment and monitoring.

Recommended defensive actions

• Inventory h2oai h2o-3 deployments and confirm whether any instance is running version 7402 or earlier.
• Identify whether binary model import or JAR handling paths are exposed to untrusted users, APIs, jobs, or automation.
• Restrict access to model import workflows, and avoid accepting untrusted model files from unauthenticated or low-trust sources.
• Apply compensating controls such as network segmentation, strong authentication, least privilege, and sandboxing around model ingestion.
• Monitor for unexpected model import activity, deserialization-related errors, crashes, or other anomalous behavior on affected systems.
• Track the CVE, NVD, and vendor references for any fix or mitigation guidance and plan an upgrade or other corrective action when available.

Evidence notes

This debrief is based on the supplied CVE description, NVD metadata, and the referenced VulDB CNA-linked sources. The corpus states h2oai h2o-3 up to 7402, identifies importBinaryModel in h2o-core/src/main/java/hex/Model.java, and says the attack can be carried out remotely with public exploit code. Source metadata also lists CWE-20 and CWE-502. Vendor identity in the enrichment data is low-confidence/needs review, so the debrief avoids asserting more than the supplied evidence supports.

Official resources