Multiple security vulnerabilities have been identified in Metabase, a popular open-source business intelligence tool, that enable remote code execution via its bundled H2 database handling. Two of these flaws carry CVE IDs and score 9.9 and 9.1 on CVSS respectively. The affected version range is not explicitly stated in the article.
CVE-2026-59827 (CVSS 9.9 — Critical): An authenticated user can run a native H2 query that returns serialized Java objects, which Metabase then deserializes without any type checks, allowing an attacker to gain remote code execution on the server.[/subscribe_to_unlock_form]
Multiple security vulnerabilities have been identified in Metabase, a popular open-source business intelligence tool, that enable remote code execution via its bundled H2 database handling. Two of these flaws carry CVE IDs and score 9.9 and 9.1 on CVSS respectively. The affected version range is not explicitly stated in the article.
CVE-2026-59827 (CVSS 9.9 — Critical): An authenticated user can run a native H2 query that returns serialized Java objects, which Metabase then deserializes without any type checks, allowing an attacker to gain remote code execution on the server.[emaillocker id="1283"]
CVE-2026-59826 (CVSS 9.1 — Critical): An admin registers an H2 connection with crafted details that skip validation, running arbitrary Java code. These vulnerabilities collectively present a significant risk of remote code execution and data exposure for Metabase users. Administrators should apply the latest security updates now to mitigate this risk. These vulnerabilities collectively present a significant risk of remote code execution and data exposure for Metabase users.
These vulnerabilities collectively present a significant risk of remote code execution and data exposure for Metabase users.
We recommend you to update Metabase For CVE-2026-59827, to 1.61.1.4, 1.60.6.3, 1.59.12, or 1.58.15 and later.
The following reports contain further technical details:
[/emaillocker]