PT-2026-60209 · Metabase · Metabase

Publicado

2026-07-15

·

Atualizado

2026-07-15

·

CVE-2026-50147

CVSS v3.1

7.6

Alta

VetorAV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
Metabase is an open-source business intelligence and embedded analytics tool. From 1.57.0 until 1.57.19.1, 1.58.14.1, 1.59.10, and 1.60.4, an attacker who can configure a Metabase database connection can read arbitrary files from the Metabase server's filesystem by adding unsafe JDBC parameters to a MySQL or MariaDB connection, causing the driver to read files from the Metabase host and expose the contents through queries against the connected database or through validation error messages. This issue is fixed in versions 1.57.19.1, 1.58.14.1, 1.59.10, and 1.60.4.

Correção

Argument Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-50147

Produtos afetados

Metabase