CVE-2026-27464
Information Disclosure via Template Injection in Metabase Notifications
Publication date: 2026-02-21
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| metabase | metabase | to 0.57.13 (exc) |
| metabase | metabase | From 0.58.0 (inc) to 0.58.7 (exc) |
| metabase | metabase | to 1.57.13 (exc) |
| metabase | metabase | From 1.58.0 (inc) to 1.58.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27464 is a high-severity vulnerability affecting Metabase versions prior to 0.57.13 and versions 0.58.x through 0.58.6. Authenticated users with low privileges can exploit this flaw by supplying a specially crafted template to the notifications endpoint, which triggers server-side code execution during template evaluation.
This vulnerability allows an attacker to extract sensitive information, including database access credentials, which are then included in the body of outgoing notification emails. The root cause is improper processing of user-supplied templates in the notification system, enabling code execution on the server.
The attack requires network access and low privileges but no user interaction, and it impacts components beyond the vulnerable endpoint, causing a scope change.
How can this vulnerability impact me? :
This vulnerability can lead to the exposure of sensitive information such as database access credentials to low-privileged authenticated users.
Because the attacker can execute code on the server during template evaluation, it compromises the confidentiality of the system without affecting integrity or availability.
An attacker exploiting this flaw could gain unauthorized access to critical database credentials, potentially leading to further unauthorized data access or system compromise.
Mitigations include disabling notifications to block access to the vulnerable endpoint and upgrading to fixed versions 0.57.13 or 0.58.7.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves authenticated users exploiting the notifications endpoint by supplying specially crafted templates to extract sensitive information. Detection would involve monitoring for unusual or unauthorized access to the notifications endpoint or suspicious template submissions by low-privileged users.
Specific commands or detection scripts are not provided in the available resources. However, general detection approaches could include:
- Reviewing Metabase logs for access to the notifications endpoint from low-privileged users.
- Monitoring outgoing notification emails for unexpected inclusion of sensitive information such as database credentials.
- Using network monitoring tools to detect unusual POST requests to the notifications endpoint.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, users should disable notifications in their Metabase instance to block access to the vulnerable notifications endpoint.
Additionally, users are strongly advised to upgrade Metabase to versions 0.57.13 or 0.58.7 (or later) where this issue has been fixed.
Before upgrading, it is recommended to back up the Metabase application database.
Upgrades can be performed using updated Docker images or downloadable JAR files available from Metabaseβs official repositories.