CVE-2026-59826

Metabase · Metabase

Metabase fails to validate H2 database connection properties, allowing an authenticated administrator to execute arbitrary Java code on the server.

Executive summary

An authenticated administrator can exploit a code injection vulnerability in Metabase, potentially leading to complete server compromise.

Vulnerability

The application fails to validate unsafe H2 connection properties during database creation. This allows an authenticated administrator to inject and execute arbitrary Java code on the underlying server, bypassing intended application constraints.

Business impact

While this vulnerability requires administrative authentication, the impact is critical (CVSS 9.1). Successful exploitation grants an attacker the ability to execute code with the privileges of the Metabase application, leading to total system compromise, unauthorized data access, and the potential for lateral movement within the network.

Remediation

Immediate Action: Upgrade Metabase to versions 1.58.15.1, 1.59.12, 1.60.6.3, or 1.61.2, depending on your current deployment branch.

Proactive Monitoring: Monitor for unusual database connection strings or unexpected Java process activity originating from the Metabase server.

Compensating Controls: Limit access to the Metabase administrative interface to trusted personnel only and implement network segmentation to isolate the server.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Organizations should treat this as a high-priority update. Since the vulnerability allows for arbitrary code execution, ensuring that the software is updated to the patched versions is the only effective way to prevent potential exploitation by malicious insiders or compromised administrator accounts.