PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59827 metabase CVE debrief

Metabase is vulnerable to code execution. Instances with an H2 database connection, including the default sample database, deserialize arbitrary Java objects returned in H2 native query result columns of type OTHER without validation. An authenticated user who can run native H2 queries can execute code on the Metabase server. This issue is fixed in versions 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4. The vulnerability has a high impact due to its critical CVSS score of 9.9. Users of Metabase with H2 database connections should apply patches immediately to prevent potential code execution.

Vendor
metabase
Product
Unknown
CVSS
CRITICAL 9.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-09
Original CVE updated
2026-07-13
Advisory published
2026-07-09
Advisory updated
2026-07-13

Who should care

Users of Metabase with H2 database connections, especially those with authenticated users who can run native H2 queries, should apply the patches immediately to prevent potential code execution. This includes administrators, security teams, and operators who manage Metabase instances and ensure the security of the systems and data they handle.

Technical summary

The vulnerability allows an authenticated user to execute code on the Metabase server by deserializing arbitrary Java objects from H2 native query results without validation. This affects Metabase instances connected to H2 databases, including the default sample database. The issue is addressed in Metabase versions 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4. Technical details indicate that the vulnerability is due to insecure deserialization of Java objects in H2 native query result columns of type OTHER. This can be mitigated by applying patches, restricting access to native H2 queries, and monitoring for suspicious activity.

Defensive priority

High

Recommended defensive actions

  • Apply patches to Metabase instances: upgrade to versions 1.58.15, 1.59.12, 1.60.6.3, or 1.61.1.4
  • Restrict access to native H2 queries for authenticated users
  • Monitor for suspicious activity related to H2 queries
  • Review system logs for exposed assets that need extra review
  • Track exceptions and retest remediated assets
  • Close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record and NVD detail provide information on the vulnerability and patches. Metabase has released fixed versions and advisories. Evidence limits suggest that further verification is needed to confirm affected scope and severity. Defenders should review the official advisory and CVE record to validate affected systems and apply patches accordingly. Additional verification tasks include reviewing system logs for suspicious activity related to H2 queries and ensuring that access to native H2 queries is restricted for authenticated users.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T18:16:57.893Z and has not been modified since then. The NVD entry is currently Analyzed.