Back to overview

CVE-2026-59826

CRITICAL
9.1
CVSS 3.1
Description
Metabase is an open-source business intelligence and embedded analytics tool. From 1.55.0 until 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2, Metabase did not validate unsafe H2 connection properties on one database-creation code path, allowing an authenticated administrator to register a crafted H2 database connection and execute arbitrary Java code on the Metabase server. This issue is fixed in versions 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2.

Metadata

CVE ID
CVE-2026-59826
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-07-07 15:00 UTC
Published
2026-07-09 17:46 UTC
Last updated
2026-07-10 03:55 UTC
Primary CWE
CWE-94
CWE-94: Improper Control of Generation of Code ('Code Inject…
Vendor / Product
metabase / metabase
Sources
cve.org  ·  NVD

Severity & Metrics

9.1 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
metabase metabase >= 1.55.0, < 1.58.15.1, >= 1.59.0, < 1.59.12, >= 1.60.0, < 1.60.6.3, >= 1.61.0, < 1.61.2
Weakness (CWE)
CWESourceDescription
CWE-94 cna CWE-94: Improper Control of Generation of Code ('Code Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.1 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
References (6)
Back to overview