Back to overview

CVE-2026-59827

CRITICAL
9.9
CVSS 3.1
Description
Metabase is an open-source business intelligence and embedded analytics tool. Prior to 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4, Metabase instances with an H2 database connection, including the default sample database, deserialize arbitrary Java objects returned in H2 native query result columns of type OTHER without validation, allowing an authenticated user who can run native H2 queries to execute code on the Metabase server. This issue is fixed in versions 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4.

Metadata

CVE ID
CVE-2026-59827
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-07-07 15:00 UTC
Published
2026-07-09 17:43 UTC
Last updated
2026-07-09 18:24 UTC
Primary CWE
CWE-502
CWE-502: Deserialization of Untrusted Data
Vendor / Product
metabase / metabase
Sources
cve.org  ·  NVD

Severity & Metrics

9.9 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
metabase metabase >= 1.58.0, < 1.58.15, >= 1.59.0, < 1.59.12, >= 1.60.0, < 1.60.6.3, >= 1.61.0, < 1.61.1.4
Weakness (CWE)
CWESourceDescription
CWE-502 cna CWE-502: Deserialization of Untrusted Data
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.9 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References (6)
Back to overview