Plattform
java
Komponente
metabase
Behoben in
0.57.14
0.58.1
CVE-2026-27464 describes a Remote Code Execution (RCE) vulnerability in Metabase, an open-source data analytics platform. This flaw allows authenticated users to retrieve sensitive information, critically including database access credentials, from a Metabase instance. The vulnerability impacts versions prior to 0.57.13 and those in the 0.58.x range up to 0.58.6. A fix has been released in version 0.58.7.
The primary impact of CVE-2026-27464 is the potential for unauthorized access to sensitive data stored within the Metabase instance's connected databases. An attacker, once authenticated, can leverage template evaluation to extract database credentials and other confidential information. This could lead to complete database compromise, enabling data exfiltration, modification, or deletion. The ability to retrieve database credentials directly represents a significant escalation of privilege, allowing attackers to move laterally within the network if the database has access to other systems. The blast radius extends to any data accessible through the compromised database, potentially impacting business-critical information and sensitive customer data.
CVE-2026-27464 was publicly disclosed on 2026-02-21. While no public proof-of-concept (PoC) has been widely reported, the ease of exploitation, coupled with the sensitivity of the data at risk, suggests a medium probability of exploitation (EPSS score likely medium). The vulnerability is not currently listed on the CISA KEV catalog. Active campaigns targeting Metabase are not currently known, but the vulnerability's severity warrants close monitoring.
Organizations utilizing Metabase for data analytics, particularly those connecting to sensitive databases containing customer data or financial information, are at significant risk. Shared hosting environments where multiple Metabase instances share the same database server are especially vulnerable, as a compromise of one instance could potentially expose the credentials for all instances on that server. Legacy Metabase deployments running older, unpatched versions are also highly susceptible.
• linux / server:
journalctl -u metabase | grep -i "template evaluation"• generic web:
curl -I https://<metabase_url>/notifications/email | grep -i "database credentials"• database (mysql, postgresql):
-- MySQL
SELECT user, host FROM mysql.user;
-- PostgreSQL
SELECT usename, pg_hba_password(usename) FROM pg_user;disclosure
Exploit-Status
EPSS
0.04% (11% Perzentil)
CISA SSVC
CVSS-Vektor
The definitive mitigation for CVE-2026-27464 is to upgrade Metabase to version 0.58.7 or later. If an immediate upgrade is not feasible, a temporary workaround involves disabling notifications within the Metabase instance. This prevents the vulnerable endpoint from being accessed, effectively blocking the attack vector. Monitor Metabase logs for any suspicious activity related to template evaluation or attempts to access database credentials. Consider implementing a Web Application Firewall (WAF) with rules to block requests containing potentially malicious template code. After upgrading, confirm the fix by attempting to trigger the vulnerable endpoint and verifying that it no longer returns sensitive data.
Actualice Metabase a la versión 0.57.13 o superior, o a la versión 0.58.7 o superior. Como alternativa, deshabilite las notificaciones en su instancia de Metabase para evitar el acceso a los endpoints vulnerables.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-27464 is a Remote Code Execution vulnerability affecting Metabase versions prior to 0.57.13 and 0.58.x through 0.58.6, allowing authenticated users to extract sensitive data like database credentials.
You are affected if you are running Metabase versions ≤ 0.58.x, < 0.58.7. Check your version and upgrade immediately if vulnerable.
Upgrade Metabase to version 0.58.7 or later. As a temporary workaround, disable notifications in your Metabase instance.
While no widespread exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a potential risk. Continuous monitoring is recommended.
Refer to the official Metabase security advisory for details: [https://www.metabase.com/security/advisories/CVE-2026-27464](https://www.metabase.com/security/advisories/CVE-2026-27464)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.