Metabase is an open-source business intelligence and embedded analytics tool. From 1.55.0 until 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2, Metabase did not validate unsafe H2 connection properties on one database-creation code path, allowing an authenticated administrator to register a crafted H2 database connection and execute arbitrary Java code on the Metabase server. This issue is fixed in versions 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2.
{
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-94"
],
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "1.55.0"
},
{
"fixed": "1.58.15.1"
},
{
"introduced": "1.59.0"
},
{
"fixed": "1.59.12"
},
{
"introduced": "1.60.0"
},
{
"fixed": "1.60.6.3"
},
{
"introduced": "1.61.0"
},
{
"fixed": "1.61.2"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59826.json"
}