NIXPKGS-2026-2136
GitHub issue
published 13 hours ago
Metabase: Arbitrary Code Execution via Database Connection Detail Bypass
Permalink
CVE-2026-59826
9.1 CRITICAL
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): High (H)
- User Interaction (UI): None (N)
- Scope (S): Changed (C)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): High (H)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Changed (C)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): High (H)
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse accepted
- @LeSuisse published on GitHub
Metabase: Arbitrary Code Execution via Database Connection Detail Bypass
Metabase is an open-source business intelligence and embedded analytics tool. From 1.55.0 until 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2, Metabase did not validate unsafe H2 connection properties on one database-creation code path, allowing an authenticated administrator to register a crafted H2 database connection and execute arbitrary Java code on the Metabase server. This issue is fixed in versions 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2.
References
-
https://github.com/metabase/metabase/security/advisories/GHSA-8wx2-rxp2-4x35 x_refsource_CONFIRM
-
https://github.com/metabase/metabase/releases/tag/v0.58.15.1 x_refsource_MISC
-
https://github.com/metabase/metabase/releases/tag/v0.59.12 x_refsource_MISC
-
https://github.com/metabase/metabase/releases/tag/v0.60.6.3 x_refsource_MISC
-
https://github.com/metabase/metabase/releases/tag/v0.61.2 x_refsource_MISC
Affected products
metabase
- ==>= 1.61.0, < 1.61.2
- ==>= 1.60.0, < 1.60.6.3
- ==>= 1.55.0, < 1.58.15.1
- ==>= 1.59.0, < 1.59.12
Matching in nixpkgs
Package maintainers
-
@mmahut Marek Mahut <marek.mahut@gmail.com>
-
@thoughtpolice Austin Seipp <aseipp@pobox.com>