H2 is a relational database management system written in Java. It can be embedded in Java applications or run in client-server mode.

The H2 database comes with a H2 console application that is not enabled by default and it's normally accessible at the endpoint /h2-console. This database console should only be enabled in the development phase and disabled once the application is deployed in a production environment. It was discovered that the H2 console is publicly accessible on this website.


It's recommended to disable access to the H2 console in production environments. To disable H2 console add the following line to



Related Vulnerabilities