CVE-2026-59826
Received
Received - Intake
Code Execution via H2 Database in Metabase
Vulnerability report for CVE-2026-59826, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-09
Last updated on: 2026-07-09
Assigner: GitHub, Inc.
Description
Description
Metabase is an open-source business intelligence and embedded analytics tool. From 1.55.0 until 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2, Metabase did not validate unsafe H2 connection properties on one database-creation code path, allowing an authenticated administrator to register a crafted H2 database connection and execute arbitrary Java code on the Metabase server. This issue is fixed in versions 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| metabase | metabase | From 1.55.0 (inc) to 1.58.15.1 (exc) |
| metabase | metabase | 0.60.6.3 |
| metabase | metabase | 0.59.12 |
| metabase | metabase | 0.58.15.1 |
| metabase | metabase | 0.61.2 |
| metabase | metabase | From 1.55.0 (inc) to 1.58.15.1 (inc) |
| metabase | metabase | 1.58.15.1 |
| metabase | metabase | 1.59.12 |
| metabase | metabase | 1.60.6.3 |
| metabase | metabase | 1.61.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |