PT-2026-56901 · Metabase · Metabase
Published
2026-07-09
·
Updated
2026-07-09
·
CVE-2026-59826
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
Metabase is an open-source business intelligence and embedded analytics tool. From 1.55.0 until 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2, Metabase did not validate unsafe H2 connection properties on one database-creation code path, allowing an authenticated administrator to register a crafted H2 database connection and execute arbitrary Java code on the Metabase server. This issue is fixed in versions 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2.
Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Metabase