TL;DR
Metabase has patched three critical flaws in its H2 database handling. Two carry CVE IDs and enable Metabase remote code execution. CVE-2026-59827 scores 9.9 on CVSS, and CVE-2026-59826 scores 9.1. No public exploitation has been confirmed.
- Total: 2 CVEs
- Severity: 2 Critical
- Actively exploited: None confirmed
- Highest severity: 9.9 (Critical · CVSSv3) — CVE-2026-59827
- Action: Apply the latest security updates now
Notable CVEs
| CVE | CVSS | Type | Status |
|---|---|---|---|
| CVE-2026-59827 | 9.9 | CWE-502 | Not exploited |
| CVE-2026-59826 | 9.1 | CWE-94 | Not exploited |
Why it matters
Metabase is a popular open-source business intelligence tool. Many teams run it to query and share data. A remote code execution bug there hands an attacker the server. From there, they can reach connected data sources and secrets. Because both CVEs need only a valid account, insider risk and stolen logins both apply.
How the attack works
All three issues involve the bundled H2 database. CVE-2026-59827 is an unsafe deserialization flaw. An authenticated user runs a native H2 query that returns serialized Java objects. Metabase then deserializes them without any type checks. As a result, the attacker gains remote code execution on the server.
CVE-2026-59826 works differently. An admin registers an H2 connection with crafted details that skip validation, which runs arbitrary Java code. A third critical bug lets native queries call H2’s host-facing file functions. That allows arbitrary file read and write. We are not sharing exploit code.
Exploitation status
Metabase reports no attacks in the wild so far. No public proof-of-concept exists at publication. Still, the near-maximum scores make these bugs urgent. Attackers study open-source advisories fast. Patch before that window opens.
Affected versions
The default Metabase sample database uses H2, so many instances are exposed by default. Fixed builds vary by branch. For CVE-2026-59827, update to 1.61.1.4, 1.60.6.3, 1.59.12, or 1.58.15 and later. Check Metabase’s security advisories for the exact fixed release per CVE.
Patch and mitigation
Update Metabase without delay to a patched build. Grab the latest from the Metabase releases page. Until you patch, restrict who can run native queries. Also disable or remove the sample H2 database where you can.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.