CVE-2026-59827 in Metabase
Summary
by MITRE • 07/09/2026
Metabase is an open-source business intelligence and embedded analytics tool. Prior to 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4, Metabase instances with an H2 database connection, including the default sample database, deserialize arbitrary Java objects returned in H2 native query result columns of type OTHER without validation, allowing an authenticated user who can run native H2 queries to execute code on the Metabase server. This issue is fixed in versions 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/09/2026
This vulnerability affects Metabase instances that utilize H2 database connections, particularly those using the default sample database configuration. The flaw exists in the deserialization process where Metabase fails to validate object types returned from H2 native query result columns designated as type OTHER. This represents a critical security weakness that allows authenticated users with native query execution privileges to exploit a remote code execution vector through malicious object deserialization.
The technical implementation of this vulnerability stems from insufficient input validation during the deserialization of database query results. When Metabase processes H2 query responses containing objects of type OTHER, it directly deserializes these objects without proper type checking or sanitization. This behavior creates an attack surface where maliciously crafted objects can be embedded within database query results and subsequently executed on the server hosting the Metabase instance. The vulnerability specifically impacts environments where users can execute native H2 queries, which typically requires authentication and appropriate permissions within the application's access control model.
The operational impact of this vulnerability is severe as it enables authenticated attackers to achieve remote code execution on Metabase servers. This compromise allows adversaries to potentially escalate privileges, access sensitive data, modify database content, or establish persistent access points within the organization's infrastructure. The attack requires only authentication credentials and the ability to execute native queries, making it particularly dangerous in environments where multiple users have varying levels of database access. Organizations using Metabase with H2 databases are at risk regardless of whether they use the default sample database or custom configurations.
Mitigation strategies should focus on upgrading to the patched versions 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4 as recommended by the vendor. Organizations should also implement additional security controls including restricting native query execution permissions, implementing network segmentation for database connections, and monitoring for suspicious query patterns. The vulnerability aligns with CWE-502 which addresses deserialization of untrusted data, and represents a technique consistent with ATT&CK tactic TA0004 (Privilege Escalation) and technique T1059.007 (Command and Scripting Interpreter: PowerShell). Security teams should also consider implementing application whitelisting policies and regular security assessments to prevent similar vulnerabilities in other components of their infrastructure.