平台
java
组件
metabase
修复版本
0.57.14
0.58.1
CVE-2026-27464 describes a Remote Code Execution (RCE) vulnerability in Metabase, an open-source data analytics platform. This flaw allows authenticated users to retrieve sensitive information, critically including database access credentials, from a Metabase instance. The vulnerability impacts versions prior to 0.57.13 and those in the 0.58.x range up to 0.58.6. A fix has been released in version 0.58.7.
The primary impact of CVE-2026-27464 is the potential for unauthorized access to sensitive data stored within the Metabase instance's connected databases. An attacker, once authenticated, can leverage template evaluation to extract database credentials and other confidential information. This could lead to complete database compromise, enabling data exfiltration, modification, or deletion. The ability to retrieve database credentials directly represents a significant escalation of privilege, allowing attackers to move laterally within the network if the database has access to other systems. The blast radius extends to any data accessible through the compromised database, potentially impacting business-critical information and sensitive customer data.
CVE-2026-27464 was publicly disclosed on 2026-02-21. While no public proof-of-concept (PoC) has been widely reported, the ease of exploitation, coupled with the sensitivity of the data at risk, suggests a medium probability of exploitation (EPSS score likely medium). The vulnerability is not currently listed on the CISA KEV catalog. Active campaigns targeting Metabase are not currently known, but the vulnerability's severity warrants close monitoring.
Organizations utilizing Metabase for data analytics, particularly those connecting to sensitive databases containing customer data or financial information, are at significant risk. Shared hosting environments where multiple Metabase instances share the same database server are especially vulnerable, as a compromise of one instance could potentially expose the credentials for all instances on that server. Legacy Metabase deployments running older, unpatched versions are also highly susceptible.
• linux / server:
journalctl -u metabase | grep -i "template evaluation"• generic web:
curl -I https://<metabase_url>/notifications/email | grep -i "database credentials"• database (mysql, postgresql):
-- MySQL
SELECT user, host FROM mysql.user;
-- PostgreSQL
SELECT usename, pg_hba_password(usename) FROM pg_user;disclosure
漏洞利用状态
EPSS
0.04% (11% 百分位)
CISA SSVC
CVSS 向量
The definitive mitigation for CVE-2026-27464 is to upgrade Metabase to version 0.58.7 or later. If an immediate upgrade is not feasible, a temporary workaround involves disabling notifications within the Metabase instance. This prevents the vulnerable endpoint from being accessed, effectively blocking the attack vector. Monitor Metabase logs for any suspicious activity related to template evaluation or attempts to access database credentials. Consider implementing a Web Application Firewall (WAF) with rules to block requests containing potentially malicious template code. After upgrading, confirm the fix by attempting to trigger the vulnerable endpoint and verifying that it no longer returns sensitive data.
Actualice Metabase a la versión 0.57.13 o superior, o a la versión 0.58.7 o superior. Como alternativa, deshabilite las notificaciones en su instancia de Metabase para evitar el acceso a los endpoints vulnerables.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-27464 is a Remote Code Execution vulnerability affecting Metabase versions prior to 0.57.13 and 0.58.x through 0.58.6, allowing authenticated users to extract sensitive data like database credentials.
You are affected if you are running Metabase versions ≤ 0.58.x, < 0.58.7. Check your version and upgrade immediately if vulnerable.
Upgrade Metabase to version 0.58.7 or later. As a temporary workaround, disable notifications in your Metabase instance.
While no widespread exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a potential risk. Continuous monitoring is recommended.
Refer to the official Metabase security advisory for details: [https://www.metabase.com/security/advisories/CVE-2026-27464](https://www.metabase.com/security/advisories/CVE-2026-27464)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 pom.xml 文件,立即知道是否受影响。