PT-2026-60209 · Metabase · Metabase

Published

2026-07-15

·

Updated

2026-07-15

·

CVE-2026-50147

CVSS v3.1

7.6

High

VectorAV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
Metabase is an open-source business intelligence and embedded analytics tool. From 1.57.0 until 1.57.19.1, 1.58.14.1, 1.59.10, and 1.60.4, an attacker who can configure a Metabase database connection can read arbitrary files from the Metabase server's filesystem by adding unsafe JDBC parameters to a MySQL or MariaDB connection, causing the driver to read files from the Metabase host and expose the contents through queries against the connected database or through validation error messages. This issue is fixed in versions 1.57.19.1, 1.58.14.1, 1.59.10, and 1.60.4.

Fix

Argument Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-50147

Affected Products

Metabase