PYSEC-2026-1444

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/h2o/PYSEC-2026-1444.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1444
Aliases
Published
2026-07-07T14:34:51.538324Z
Modified
2026-07-07T17:46:12.509096578Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
H2O Vulnerable to Denial of Service (DoS) and File Write
Details

In h2oai/h2o-3 version 3.46.0.1, the run_tool command exposes classes in the water.tools package through the ast parser. This includes the XGBoostLibExtractTool class, which can be exploited to shut down the server and write large files to arbitrary directories, leading to a denial of service.

References

Affected packages

PyPI / h2o

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.34.0.1
Last affected
3.46.0.1

Affected versions

3.*
3.34.0.3
3.34.0.7
3.34.0.8
3.36.0.2
3.36.0.3
3.36.0.4
3.36.1.1
3.36.1.2
3.36.1.3
3.36.1.4
3.36.1.5
3.38.0.1
3.38.0.2
3.38.0.3
3.38.0.4
3.40.0.1
3.40.0.2
3.40.0.3
3.40.0.4
3.42.0.1
3.42.0.2
3.42.0.3
3.42.0.4
3.44.0.1
3.44.0.2
3.44.0.3
3.46.0.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/h2o/PYSEC-2026-1444.yaml"