Deserialization Flaw in Metabase's H2 Database Connection
CVE-2026-59827
9.9CRITICAL
What is CVE-2026-59827?
Metabase, an open-source business intelligence and embedded analytics tool, suffers from a deserialization vulnerability in versions prior to 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4. When configured with an H2 database connection, including the default sample database, this flaw permits authenticated users capable of executing native H2 queries to exploit deserialization of arbitrary Java objects. This leads to potential code execution on the Metabase server. The vulnerability has been patched in subsequent versions, addressing the security risk for users.
Affected Version(s)
metabase >= 1.58.0, < 1.58.15 < 1.58.0, 1.58.15
metabase >= 1.59.0, < 1.59.12 < 1.59.0, 1.59.12
metabase >= 1.60.0, < 1.60.6.3 < 1.60.0, 1.60.6.3
