PatchSiren cyber security CVE debrief

CVE-2026-8752 H2o CVE debrief

CVE-2026-8752 is a medium-severity access control weakness reported in h2oai h2o-3 (up to 7402), in the Rapids setproperty primitive handler at AstSetProperty.exec. The source description says the issue can be triggered remotely and that public exploit material is available, which raises the operational risk for exposed deployments even though the base CVSS score is 5.5.

Vendor: H2o
Product: Unknown
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-17
Original CVE updated: 2026-05-19
Advisory published: 2026-05-17
Advisory updated: 2026-05-19

Who should care

Teams operating h2o-3 instances, especially those exposing Rapids-related functionality or remote job interfaces to untrusted users or networks, should review this CVE promptly. Security teams should also assess any deployment where property-setting actions may be reachable across trust boundaries.

Technical summary

The reported flaw is in h2o-core/src/main/java/water/rapids/ast/prims/misc/AstSetProperty.java, specifically the exec function for the Rapids setproperty primitive handler. The CNA-supplied weakness mapping includes CWE-284 and CWE-266, and the CVSS v4 vector indicates network attackability with no privileges and no user interaction, plus a low integrity impact. In practical terms, the issue appears to be an authorization/access-control failure in a remotely reachable code path.

Defensive priority

Medium overall, but high priority for any internet-facing or otherwise untrusted-access deployment because the attack is remote, requires no privileges, and public exploit material is reported.

Recommended defensive actions

Inventory h2o-3 deployments and determine whether any instance is at or below version 7402.
Restrict network access to Rapids and related administrative or job-submission interfaces to trusted users and segmented networks.
Review authorization checks around property-setting and other Rapids primitives for unintended access paths.
Monitor logs and audit trails for unusual property changes, unauthorized job activity, or unexpected Rapids requests.
Apply a vendor fix or upgrade as soon as an official patched release is confirmed; if no fix is available yet, mitigate by reducing exposure and isolating affected systems.

Evidence notes

The supplied NVD record (published/modified 2026-05-17T12:16:43.330Z) marks the item as Received and cites VulDB-hosted references. The CVE description states that the flaw affects h2oai h2o-3 up to 7402, can be reached remotely, and that exploit code/material has been made public. Source metadata also flags the vendor attribution as low confidence, so product and remediation details should be validated against authoritative upstream information before acting on them.

Official resources

CVE-2026-8752 CVE record
CVE.org
CVE-2026-8752 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected] - Permissions Required, VDB Entry
Source reference
[email protected] - Broken Link

Publicly disclosed on 2026-05-17. The supplied description says a public exploit exists and that the vendor was contacted early but did not respond.