CVE Vulnerability in Metabase Affected by Unsafe H2 Connection Properties
CVE-2026-59826

9.1CRITICAL

Key Information:

Vendor

Metabase

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-59826?

Metabase, an open-source business intelligence and analytics tool, experienced a significant vulnerability involving improper validation of H2 connection properties. Any authenticated administrator could register a malicious H2 database connection, leading to the potential execution of arbitrary Java code on the Metabase server. This vulnerability affects specific versions and is addressed in subsequent updates, enhancing the overall security of the platform.

Affected Version(s)

metabase >= 1.55.0, < 1.58.15.1 < 1.55.0, 1.58.15.1

metabase >= 1.59.0, < 1.59.12 < 1.59.0, 1.59.12

metabase >= 1.60.0, < 1.60.6.3 < 1.60.0, 1.60.6.3

References

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.