← Back to CVE List
CVE-2026-59826NVD
Vulnerability Summary
Metabase is an open-source business intelligence and embedded analytics tool. From 1.55.0 until 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2, Metabase did not validate unsafe H2 connection properties on one database-creation code path, allowing an authenticated administrator to register a crafted H2 database connection and execute arbitrary Java code on the Metabase server. This issue is fixed in versions 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2.
CVSS v3.1 Base Metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredHigh
User InteractionNone
ScopeChanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
External References
- https://github.com/metabase/metabase/commit/74032e5e0a5a70dc45a6a744d37b9ba24eee8d01
- https://github.com/metabase/metabase/releases/tag/v0.58.15.1
- https://github.com/metabase/metabase/releases/tag/v0.59.12
- https://github.com/metabase/metabase/releases/tag/v0.60.6.3
- https://github.com/metabase/metabase/releases/tag/v0.61.2
- https://github.com/metabase/metabase/security/advisories/GHSA-8wx2-rxp2-4x35