CVE-2026-59826

PUBLISHED
Published: 09 Jul 2026, 17:46
Last modified:09 Jul 2026, 18:10

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.1 CRITICAL
v3.1 (cve.org)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

09 Jul 2026, 17:46
Published
Vulnerability first disclosed
09 Jul 2026, 18:10
Last Modified
Vulnerability information updated

Description

Metabase is an open-source business intelligence and embedded analytics tool. From 1.55.0 until 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2, Metabase did not validate unsafe H2 connection properties on one database-creation code path, allowing an authenticated administrator to register a crafted H2 database connection and execute arbitrary Java code on the Metabase server. This issue is fixed in versions 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2.

CVSS Metrics

  • v3.1CRITICALScore: 9.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Techniques & Countermeasures

  • CWE-94Improper Control of Generation of Code ('Code Injection')

    The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Affected Systems

  • metabasemetabase

    ≥ 1.55.0, < 1.58.15.1 | ≥ 1.59.0, < 1.59.12 | ≥ 1.60.0, < 1.60.6.3 | ≥ 1.61.0, < 1.61.2

References (6)