Platform
java
Component
metabase
Fixed in
0.57.14
0.58.1
CVE-2026-27464 describes a Remote Code Execution (RCE) vulnerability in Metabase, an open-source data analytics platform. This flaw allows authenticated users to retrieve sensitive information, critically including database access credentials, from a Metabase instance. The vulnerability impacts versions prior to 0.57.13 and those in the 0.58.x range up to 0.58.6. A fix has been released in version 0.58.7.
The primary impact of CVE-2026-27464 is the potential for unauthorized access to sensitive data stored within the Metabase instance's connected databases. An attacker, once authenticated, can leverage template evaluation to extract database credentials and other confidential information. This could lead to complete database compromise, enabling data exfiltration, modification, or deletion. The ability to retrieve database credentials directly represents a significant escalation of privilege, allowing attackers to move laterally within the network if the database has access to other systems. The blast radius extends to any data accessible through the compromised database, potentially impacting business-critical information and sensitive customer data.
CVE-2026-27464 was publicly disclosed on 2026-02-21. While no public proof-of-concept (PoC) has been widely reported, the ease of exploitation, coupled with the sensitivity of the data at risk, suggests a medium probability of exploitation (EPSS score likely medium). The vulnerability is not currently listed on the CISA KEV catalog. Active campaigns targeting Metabase are not currently known, but the vulnerability's severity warrants close monitoring.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The definitive mitigation for CVE-2026-27464 is to upgrade Metabase to version 0.58.7 or later. If an immediate upgrade is not feasible, a temporary workaround involves disabling notifications within the Metabase instance. This prevents the vulnerable endpoint from being accessed, effectively blocking the attack vector. Monitor Metabase logs for any suspicious activity related to template evaluation or attempts to access database credentials. Consider implementing a Web Application Firewall (WAF) with rules to block requests containing potentially malicious template code. After upgrading, confirm the fix by attempting to trigger the vulnerable endpoint and verifying that it no longer returns sensitive data.
Actualice Metabase a la versión 0.57.13 o superior, o a la versión 0.58.7 o superior. Como alternativa, deshabilite las notificaciones en su instancia de Metabase para evitar el acceso a los endpoints vulnerables.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27464 is a Remote Code Execution vulnerability affecting Metabase versions prior to 0.57.13 and 0.58.x through 0.58.6, allowing authenticated users to extract sensitive data like database credentials.
You are affected if you are running Metabase versions ≤ 0.58.x, < 0.58.7. Check your version and upgrade immediately if vulnerable.
Upgrade Metabase to version 0.58.7 or later. As a temporary workaround, disable notifications in your Metabase instance.
While no widespread exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a potential risk. Continuous monitoring is recommended.
Refer to the official Metabase security advisory for details: [https://www.metabase.com/security/advisories/CVE-2026-27464](https://www.metabase.com/security/advisories/CVE-2026-27464)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.