{"id":"CVE-2026-59827","summary":"Metabase: Unsafe Deserialization of H2 Query Results","details":"Metabase is an open-source business intelligence and embedded analytics tool. Prior to 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4, Metabase instances with an H2 database connection, including the default sample database, deserialize arbitrary Java objects returned in H2 native query result columns of type OTHER without validation, allowing an authenticated user who can run native H2 queries to execute code on the Metabase server. This issue is fixed in versions 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4.","aliases":["GHSA-w95f-x9v9-wv36"],"modified":"2026-07-16T03:49:20.703422837Z","published":"2026-07-09T17:43:57.546Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59827.json","unresolved_ranges":[{"extracted_events":[{"introduced":"1.58.0"},{"fixed":"1.58.15"},{"introduced":"1.59.0"},{"fixed":"1.59.12"},{"introduced":"1.60.0"},{"fixed":"1.60.6.3"},{"introduced":"1.61.0"},{"fixed":"1.61.1.4"}],"source":"AFFECTED_FIELD"}],"cna_assigner":"GitHub_M","cwe_ids":["CWE-502"]},"references":[{"type":"WEB","url":"https://github.com/metabase/metabase/releases/tag/v0.58.15"},{"type":"WEB","url":"https://github.com/metabase/metabase/releases/tag/v0.59.12"},{"type":"WEB","url":"https://github.com/metabase/metabase/releases/tag/v0.60.6.3"},{"type":"WEB","url":"https://github.com/metabase/metabase/releases/tag/v0.61.1.4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59827.json"},{"type":"ADVISORY","url":"https://github.com/metabase/metabase/security/advisories/GHSA-w95f-x9v9-wv36"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-59827"},{"type":"FIX","url":"https://github.com/metabase/metabase/commit/00f42511fe3bc4385652a2e96862ee6fd7d42cf8"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/metabase/metabase","events":[{"introduced":"e28326bbbdfb9b6f5fd3b8638088a18f108a95c6"},{"fixed":"094f0ca48d00684782840501ad84891a327cd2d2"},{"introduced":"95d41fa1e4435aa4ff147c4c7cb0d08c2f3b586a"},{"fixed":"2996c7fee5a82b33453368db60186e64fbaa0d3b"},{"introduced":"cc12039807af543e457938ac5b6fdf7927ae4110"},{"fixed":"34b449b6335d13cd412f50e28356ebf576bcdcc1"},{"introduced":"d5bb4cce64086bd941b332fbbf7b19e6d02e222c"},{"fixed":"5c9a21534a770c5597b80a46ce99489cc6e23088"},{"fixed":"00f42511fe3bc4385652a2e96862ee6fd7d42cf8"}],"database_specific":{"source":["CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*","extracted_events":[{"introduced":"0.58.0"},{"fixed":"0.58.15"},{"introduced":"0.59.0"},{"fixed":"0.59.12"},{"introduced":"0.60.0"},{"fixed":"0.60.6.3"},{"introduced":"0.61.0"},{"fixed":"0.61.1.4"}]}}],"versions":["v0.60.6.2","v0.61.1.3","v0.58.14.x","v0.58.14.1","v0.61.1.2","v0.60.6.1","v0.61.1.1","v0.60.6.x","v0.60.6","v0.61.1.x","v0.61.1","v0.60.5.3","v0.61.0.10-beta","v0.60.5.2","v0.60.5.x","v0.60.5","v0.61.0.9-beta","v0.60.5.1","v0.60.4.3","v0.59.11.x","v0.59.11","v0.61.x","v0.61.0.x","v0.61.0.8-beta","v0.59.10.x","v0.59.10.1","v0.59.10","v0.60.4.x","v0.60.4.4","v0.58.14","v0.60.4.2","v0.58.13.x","v0.58.13.1","v0.60.4.1","v0.60.4","v0.60.3.x","v0.60.3.8","v0.60.3.7","v0.60.3.6","v0.60.3.5","v0.60.3.4","v0.60.3.3","v0.59.9.x","v0.59.9.1","v0.60.3.2","v0.59.9","v0.60.3.1","v0.60.3","v0.59.8.3","v0.60.2.x","v0.60.2.6","v0.60.2.5","v0.60.2.4","v0.59.8.4","v0.59.8.x","v0.59.8.5","v0.60.2.3","v0.59.8.2","v0.59.8.1","v0.60.2.1","v0.60.2.2","v0.60.2","v0.60.1.x","v0.60.1.6","v0.60.1.5","embedding-sdk-0.60.0","v0.59.8","v0.59.7.x","v0.59.7.3","v0.60.1.4","v0.60.1.3","v0.59.7.2","v0.60.1.2","v0.59.7.1","v0.60.1.1","v0.60.1","v0.59.7","v0.60.0.8-beta","v0.58.13","v0.59.6.4","v0.60.0.7-beta","v0.59.6.5","v0.60.0.6-beta","v0.59.6.3","v0.59.6.x","v0.59.6.2","v0.60.0.5-beta","v0.58.12.x","v0.58.12","v0.59.6","v0.60.0.4-beta","v0.59.5.2","v0.59.6.1","v0.58.11.x","v0.58.11","embedding-sdk-60-stable","embedding-sdk-0.60.0-beta.0","v0.59.5","v0.59.5.x","v0.59.5.1","v0.59.4.x","v0.59.4.5","v0.60.x","v0.60.0.x","v0.60.0.3-beta","v0.59.4.4","v0.59.4.3","v0.58.10.x","v0.58.10.1","v0.59.4.2","v0.58.10","v0.59.4.1","v0.59.4","v0.59.3.x","v0.59.3.2","v0.59.3.1","v0.58.9.2","v0.59.3","v0.59.2.7","v0.58.9.1","v0.59.2.6","v0.59.2.5","v0.59.2.4","v0.59.2.3","v0.59.2.2","v0.58.9.x","v0.58.9","v0.59.2.1","v0.59.2.x","v0.59.2","v0.59.1.6","v0.58.8.5","v0.59.1.5","v0.58.8.6","v0.59.1.4","v0.59.1.3","v0.59.1.2","v0.58.8.3","v0.58.8.4","v0.59.1.1","embedding-sdk-0.59.0","v0.58.8.2","v0.58.8.1","v0.59.1.x","v0.59.1","v0.58.8.x","v0.58.8","v0.58.7.6","v0.59.0.7-beta","v0.58.7.5","v0.59.0.6-beta","v0.58.7.3","v0.59.0.5-beta","v0.58.7.4","v0.58.7.2","v0.59.0.4-beta","v0.59.0.3-beta","v0.58.7.x","v0.58.7.1","v0.59.0.2-beta","v0.58.7","v0.58.6.1","embedding-sdk-59-stable","embedding-sdk-0.59.0-beta.0","v0.58.6.x","v0.58.6","v0.59.0.x","v0.59.0.1-beta","v0.58.5.5","v0.58.5.3","v0.58.5.2","v0.58.5.1","v0.58.5.4","v0.58.4","v0.58.x","v0.58.5.x","v0.58.5","latest-oss","latest-ee","v0.58.4.x","v0.58.4.2","v0.58.4.1","v0.58.3.x","v0.58.3.4","v0.58.3.3","v0.58.3.2","v0.58.3.1","v0.58.3","v0.58.2.x","v0.58.2.6","v0.58.2.5","v0.58.2.4","v0.58.2.3","v0.58.2.2","v0.58.2.1","v0.58.2","v0.58.1.x","v0.58.1.3","embedding-sdk-58-stable","embedding-sdk-0.58.0","v0.58.1.2","v0.58.1.1","v0.58.1","v0.58.0.x","v0.58.0.10-beta"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59827.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}]}