CVE-2026-59827
Received Received - Intake

Deserialization Flaw in Metabase Allows Code Execution

Vulnerability report for CVE-2026-59827, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Metabase is an open-source business intelligence and embedded analytics tool. Prior to 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4, Metabase instances with an H2 database connection, including the default sample database, deserialize arbitrary Java objects returned in H2 native query result columns of type OTHER without validation, allowing an authenticated user who can run native H2 queries to execute code on the Metabase server. This issue is fixed in versions 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
metabase metabase From 1.58.15 (exc) to 1.58.14 (inc)
metabase metabase From 1.59.12 (exc) to 1.59.11 (inc)
metabase metabase From 1.60.6.3 (exc) to 1.60.6.2 (inc)
metabase metabase From 1.61.1.4 (exc) to 1.61.1.3 (inc)
metabase metabase to 1.61.1.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59827 is a critical vulnerability in Metabase, an open-source business intelligence tool, affecting instances that use the H2 database connection, including the default sample database.

The vulnerability arises because Metabase deserializes arbitrary Java objects returned in H2 native query result columns of type OTHER without validating them. This means that an authenticated user who can run native H2 queries can craft a query that returns malicious serialized Java objects, which Metabase will deserialize and execute on the server.

This unsafe deserialization allows remote code execution on the Metabase server, posing a severe security risk.

The issue affects Metabase versions prior to 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4, where patches have been applied to fix this problem.

Compliance Impact

This vulnerability allows an authenticated user with permission to run native H2 queries to execute arbitrary code on the Metabase server by exploiting unsafe deserialization of Java objects. Such unauthorized code execution can lead to breaches of confidentiality, integrity, and availability of data handled by Metabase.

Because the vulnerability can lead to unauthorized access and control over sensitive data, it may impact compliance with data protection standards and regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring system integrity.

However, the attack surface is limited since exploitation requires authenticated access with permission to run native H2 queries, and Metabase does not allow adding new H2 connections via the UI, restricting the vulnerability mostly to instances using the default sample database.

Impact Analysis

This vulnerability can have a severe impact because it allows an authenticated user with permission to run native H2 queries to execute arbitrary code on the Metabase server.

The CVSS score of 9.9 indicates a critical severity with high impact on confidentiality, integrity, and availability.

  • Confidentiality: An attacker could access sensitive data on the server.
  • Integrity: An attacker could modify or corrupt data or system configurations.
  • Availability: An attacker could disrupt the service or cause denial of service.

The attack complexity is low, requiring only low privileges (authenticated user with native query access) and no user interaction.

However, the attack surface is somewhat limited because Metabase does not allow adding new H2 connections via the UI, so exploitation is mostly limited to instances using the default sample database.

Detection Guidance

This vulnerability can be detected by identifying Metabase instances that use the H2 database connection, including the default sample database, and checking if they are running vulnerable versions prior to 1.58.15, 1.59.12, 1.60.6.3, or 1.61.1.4.

Detection can involve verifying the Metabase version and inspecting if native H2 queries are allowed and used, especially queries that return columns of type OTHER which may deserialize arbitrary Java objects.

Specific commands are not provided in the resources, but a general approach would be to query the Metabase server or database for its version and configuration, and to monitor or audit native H2 query usage that involves deserialization of Java objects.

Mitigation Strategies

The immediate mitigation step is to upgrade Metabase to a fixed version: 1.58.15, 1.59.12, 1.60.6.3, or 1.61.1.4.

Since the vulnerability requires an authenticated user with permission to run native H2 queries, restricting or auditing such permissions can reduce risk.

Backing up the Metabase application database before upgrading is recommended.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59827. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart