Description

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific dangerous parameters. An attacker can bypass these controls by switching the JDBC URL protocol to jdbc:postgresql: and exploiting PostgreSQL JDBC driver-specific parameters such as socketFactory and socketFactoryArg. This allows unauthenticated attackers to execute arbitrary code on the H2O-3 server with the privileges of the H2O-3 process. The issue is resolved in version 3.46.0.10.

INFO

Published Date :

2026-04-23T08:47:48.618Z

Last Modified :

2026-04-23T08:47:48.618Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2026-3960 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-3960.

URL Resource
https://github.com/h2oai/h2o-3/commit/b9ae2d3c5220db2dc53753357a783e590364d044 cve-icon cve-icon
https://huntr.com/bounties/6954fe04-b905-453f-8c53-205ac8377e0d cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact