CVE-2026-59827
Received
Received - Intake
Deserialization Flaw in Metabase Allows Code Execution
Vulnerability report for CVE-2026-59827, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-09
Last updated on: 2026-07-09
Assigner: GitHub, Inc.
Description
Description
Metabase is an open-source business intelligence and embedded analytics tool. Prior to 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4, Metabase instances with an H2 database connection, including the default sample database, deserialize arbitrary Java objects returned in H2 native query result columns of type OTHER without validation, allowing an authenticated user who can run native H2 queries to execute code on the Metabase server. This issue is fixed in versions 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| metabase | metabase | From 1.58.15 (exc) to 1.58.14 (inc) |
| metabase | metabase | From 1.59.12 (exc) to 1.59.11 (inc) |
| metabase | metabase | From 1.60.6.3 (exc) to 1.60.6.2 (inc) |
| metabase | metabase | From 1.61.1.4 (exc) to 1.61.1.3 (inc) |
| metabase | metabase | to 1.61.1.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |