CVE-2026-59827
metabase · metabase
Metabase instances using H2 database connections are vulnerable to remote code execution via the deserialization of untrusted data in native query results.
Executive summary
A critical deserialization vulnerability in Metabase allows authenticated users to execute arbitrary code on the server when connected to an H2 database.
Vulnerability
The vulnerability exists in the handling of H2 native query results. The application deserializes arbitrary Java objects returned in columns of type OTHER without validation, enabling an authenticated attacker with native query privileges to achieve code execution.
Business impact
Successful exploitation allows an attacker to bypass application-level controls and execute code directly on the Metabase host. This poses a severe risk of data breach, as the attacker could access the underlying database, credentials, or other system assets. The CVSS score of 9.9 highlights the extreme severity of this flaw, particularly for organizations using Metabase for business intelligence.
Remediation
Immediate Action: Update Metabase to versions 1.58.15, 1.59.12, 1.60.6.3, 1.61.1.4, or later immediately.
Proactive Monitoring: Audit database query logs for suspicious activity, particularly queries involving native H2 calls or unexpected usage of the OTHER data type.
Compensating Controls: Restrict access to the Metabase interface and limit the ability of users to run native database queries to only trusted administrative accounts until patches are applied.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the critical CVSS score and the potential for complete system takeover, applying the vendor-provided patches is the only effective mitigation. Security teams should prioritize patching instances that are exposed to untrusted users or that utilize H2 databases.