Deserialization Flaw in Metabase's H2 Database Connection
CVE-2026-59827

9.9CRITICAL

Key Information:

Vendor

Metabase

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-59827?

Metabase, an open-source business intelligence and embedded analytics tool, suffers from a deserialization vulnerability in versions prior to 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4. When configured with an H2 database connection, including the default sample database, this flaw permits authenticated users capable of executing native H2 queries to exploit deserialization of arbitrary Java objects. This leads to potential code execution on the Metabase server. The vulnerability has been patched in subsequent versions, addressing the security risk for users.

Affected Version(s)

metabase >= 1.58.0, < 1.58.15 < 1.58.0, 1.58.15

metabase >= 1.59.0, < 1.59.12 < 1.59.0, 1.59.12

metabase >= 1.60.0, < 1.60.6.3 < 1.60.0, 1.60.6.3

References

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.