CVE-2026-59827

Source
https://cve.org/CVERecord?id=CVE-2026-59827
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59827.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-59827
Aliases
  • GHSA-w95f-x9v9-wv36
Published
2026-07-09T17:43:57.546Z
Modified
2026-07-16T03:49:20.703422837Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Metabase: Unsafe Deserialization of H2 Query Results
Details

Metabase is an open-source business intelligence and embedded analytics tool. Prior to 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4, Metabase instances with an H2 database connection, including the default sample database, deserialize arbitrary Java objects returned in H2 native query result columns of type OTHER without validation, allowing an authenticated user who can run native H2 queries to execute code on the Metabase server. This issue is fixed in versions 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-502"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "1.58.0"
                },
                {
                    "fixed": "1.58.15"
                },
                {
                    "introduced": "1.59.0"
                },
                {
                    "fixed": "1.59.12"
                },
                {
                    "introduced": "1.60.0"
                },
                {
                    "fixed": "1.60.6.3"
                },
                {
                    "introduced": "1.61.0"
                },
                {
                    "fixed": "1.61.1.4"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59827.json"
}
References

Affected packages

Git / github.com/metabase/metabase

Affected ranges

Type
GIT
Repo
https://github.com/metabase/metabase
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*",
    "extracted_events": [
        {
            "introduced": "0.58.0"
        },
        {
            "fixed": "0.58.15"
        },
        {
            "introduced": "0.59.0"
        },
        {
            "fixed": "0.59.12"
        },
        {
            "introduced": "0.60.0"
        },
        {
            "fixed": "0.60.6.3"
        },
        {
            "introduced": "0.61.0"
        },
        {
            "fixed": "0.61.1.4"
        }
    ]
}

Affected versions

embedding-sdk-0.*
embedding-sdk-0.58.0
embedding-sdk-0.59.0
embedding-sdk-0.59.0-beta.0
embedding-sdk-0.60.0
embedding-sdk-0.60.0-beta.0
Other
embedding-sdk-58-stable
embedding-sdk-59-stable
embedding-sdk-60-stable
latest-ee
latest-oss
v0.*
v0.58.0.10-beta
v0.58.0.x
v0.58.1
v0.58.1.1
v0.58.1.2
v0.58.1.3
v0.58.1.x
v0.58.10
v0.58.10.1
v0.58.10.x
v0.58.11
v0.58.11.x
v0.58.12
v0.58.12.x
v0.58.13
v0.58.13.1
v0.58.13.x
v0.58.14
v0.58.14.1
v0.58.14.x
v0.58.2
v0.58.2.1
v0.58.2.2
v0.58.2.3
v0.58.2.4
v0.58.2.5
v0.58.2.6
v0.58.2.x
v0.58.3
v0.58.3.1
v0.58.3.2
v0.58.3.3
v0.58.3.4
v0.58.3.x
v0.58.4
v0.58.4.1
v0.58.4.2
v0.58.4.x
v0.58.5
v0.58.5.1
v0.58.5.2
v0.58.5.3
v0.58.5.4
v0.58.5.5
v0.58.5.x
v0.58.6
v0.58.6.1
v0.58.6.x
v0.58.7
v0.58.7.1
v0.58.7.2
v0.58.7.3
v0.58.7.4
v0.58.7.5
v0.58.7.6
v0.58.7.x
v0.58.8
v0.58.8.1
v0.58.8.2
v0.58.8.3
v0.58.8.4
v0.58.8.5
v0.58.8.6
v0.58.8.x
v0.58.9
v0.58.9.1
v0.58.9.2
v0.58.9.x
v0.58.x
v0.59.0.1-beta
v0.59.0.2-beta
v0.59.0.3-beta
v0.59.0.4-beta
v0.59.0.5-beta
v0.59.0.6-beta
v0.59.0.7-beta
v0.59.0.x
v0.59.1
v0.59.1.1
v0.59.1.2
v0.59.1.3
v0.59.1.4
v0.59.1.5
v0.59.1.6
v0.59.1.x
v0.59.10
v0.59.10.1
v0.59.10.x
v0.59.11
v0.59.11.x
v0.59.2
v0.59.2.1
v0.59.2.2
v0.59.2.3
v0.59.2.4
v0.59.2.5
v0.59.2.6
v0.59.2.7
v0.59.2.x
v0.59.3
v0.59.3.1
v0.59.3.2
v0.59.3.x
v0.59.4
v0.59.4.1
v0.59.4.2
v0.59.4.3
v0.59.4.4
v0.59.4.5
v0.59.4.x
v0.59.5
v0.59.5.1
v0.59.5.2
v0.59.5.x
v0.59.6
v0.59.6.1
v0.59.6.2
v0.59.6.3
v0.59.6.4
v0.59.6.5
v0.59.6.x
v0.59.7
v0.59.7.1
v0.59.7.2
v0.59.7.3
v0.59.7.x
v0.59.8
v0.59.8.1
v0.59.8.2
v0.59.8.3
v0.59.8.4
v0.59.8.5
v0.59.8.x
v0.59.9
v0.59.9.1
v0.59.9.x
v0.60.0.3-beta
v0.60.0.4-beta
v0.60.0.5-beta
v0.60.0.6-beta
v0.60.0.7-beta
v0.60.0.8-beta
v0.60.0.x
v0.60.1
v0.60.1.1
v0.60.1.2
v0.60.1.3
v0.60.1.4
v0.60.1.5
v0.60.1.6
v0.60.1.x
v0.60.2
v0.60.2.1
v0.60.2.2
v0.60.2.3
v0.60.2.4
v0.60.2.5
v0.60.2.6
v0.60.2.x
v0.60.3
v0.60.3.1
v0.60.3.2
v0.60.3.3
v0.60.3.4
v0.60.3.5
v0.60.3.6
v0.60.3.7
v0.60.3.8
v0.60.3.x
v0.60.4
v0.60.4.1
v0.60.4.2
v0.60.4.3
v0.60.4.4
v0.60.4.x
v0.60.5
v0.60.5.1
v0.60.5.2
v0.60.5.3
v0.60.5.x
v0.60.6
v0.60.6.1
v0.60.6.2
v0.60.6.x
v0.60.x
v0.61.0.10-beta
v0.61.0.8-beta
v0.61.0.9-beta
v0.61.0.x
v0.61.1
v0.61.1.1
v0.61.1.2
v0.61.1.3
v0.61.1.x
v0.61.x

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59827.json"