Spring Boot Misconfiguration: H2 console enabled

Severity: Medium

Invicti detected that the H2 Console is enabled.

H2 is a relational database management system written in Java. It can be embedded in Java applications or run in client-server mode. The H2 database comes with a H2 console application that is not enabled by default. This database console should only be enabled in the development phase and disabled once the application is deployed in a production environment. It was discovered that the H2 console is enabled on this Spring Boot website.


An attacker can try to use default database credentials to gain access to the H2 databases.

Actions To Take#

It's recommended to disable access to the H2 console in production environments. To disable H2 console add the following line to application.properties:


Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo