PatchSiren cyber security CVE debrief
CVE-2026-59827 metabase CVE debrief
Metabase is vulnerable to code execution. Instances with an H2 database connection, including the default sample database, deserialize arbitrary Java objects returned in H2 native query result columns of type OTHER without validation. An authenticated user who can run native H2 queries can execute code on the Metabase server. This issue is fixed in versions 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4. The vulnerability has a high impact due to its critical CVSS score of 9.9. Users of Metabase with H2 database connections should apply patches immediately to prevent potential code execution.
- Vendor
- metabase
- Product
- Unknown
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-09
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-09
- Advisory updated
- 2026-07-13
Who should care
Users of Metabase with H2 database connections, especially those with authenticated users who can run native H2 queries, should apply the patches immediately to prevent potential code execution. This includes administrators, security teams, and operators who manage Metabase instances and ensure the security of the systems and data they handle.
Technical summary
The vulnerability allows an authenticated user to execute code on the Metabase server by deserializing arbitrary Java objects from H2 native query results without validation. This affects Metabase instances connected to H2 databases, including the default sample database. The issue is addressed in Metabase versions 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4. Technical details indicate that the vulnerability is due to insecure deserialization of Java objects in H2 native query result columns of type OTHER. This can be mitigated by applying patches, restricting access to native H2 queries, and monitoring for suspicious activity.
Defensive priority
High
Recommended defensive actions
- Apply patches to Metabase instances: upgrade to versions 1.58.15, 1.59.12, 1.60.6.3, or 1.61.1.4
- Restrict access to native H2 queries for authenticated users
- Monitor for suspicious activity related to H2 queries
- Review system logs for exposed assets that need extra review
- Track exceptions and retest remediated assets
- Close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record and NVD detail provide information on the vulnerability and patches. Metabase has released fixed versions and advisories. Evidence limits suggest that further verification is needed to confirm affected scope and severity. Defenders should review the official advisory and CVE record to validate affected systems and apply patches accordingly. Additional verification tasks include reviewing system logs for suspicious activity related to H2 queries and ensuring that access to native H2 queries is restricted for authenticated users.
Official resources
-
CVE-2026-59827 CVE record
CVE.org
-
CVE-2026-59827 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T18:16:57.893Z and has not been modified since then. The NVD entry is currently Analyzed.