Login Sign Up

CVE-2026-27464

7.7 HIGH

📋 TL;DR

This vulnerability allows authenticated users in Metabase to extract sensitive information including database credentials via template evaluation in email notifications. It affects Metabase instances running versions prior to 0.57.13 or versions 0.58.x through 0.58.6. Any organization using these vulnerable versions with authenticated users is at risk.

💻 Affected Systems

Products:
  • Metabase
Versions: Versions prior to 0.57.13 and versions 0.58.x through 0.58.6
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user access; affects all deployment types (cloud, on-premise, containers)

📦 What is this software?

Metabase by Metabase

View all CVEs affecting Metabase →

Metabase by Metabase

View all CVEs affecting Metabase →

Metabase by Metabase

View all CVEs affecting Metabase →

Metabase by Metabase

View all CVEs affecting Metabase →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain database credentials leading to full database compromise, data exfiltration, and potential lateral movement to connected systems.

🟠

Likely Case

Unauthorized access to sensitive configuration data and database credentials, enabling data theft and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper access controls, but still exposes sensitive configuration information to authenticated users.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward once authenticated

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.57.13 or 0.58.7

Vendor Advisory: https://github.com/metabase/metabase/security/advisories/GHSA-vcj8-rcm8-gfj9

Restart Required: Yes

Instructions:

1. Backup your Metabase instance and database. 2. Download and install Metabase version 0.57.13 or 0.58.7 from official releases. 3. Restart the Metabase service. 4. Verify the version is updated.

🔧 Temporary Workarounds

Disable Notifications

all

Disable all email notifications to block access to vulnerable template evaluation endpoints

Navigate to Admin > Settings > Email in Metabase UI and disable email notifications

🧯 If You Can't Patch

  • Implement strict access controls and limit authenticated user permissions
  • Monitor for suspicious access patterns to notification endpoints and credential extraction attempts

🔍 How to Verify

Check if Vulnerable:

Check Metabase version via Admin panel or by examining the application metadata

Check Version:

Check Admin > Troubleshooting > About in Metabase UI or examine application startup logs

Verify Fix Applied:

Confirm version is 0.57.13 or higher, or 0.58.7 or higher, and test that authenticated users cannot extract credentials via notifications

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to notification endpoints
  • Multiple failed or successful attempts to access template evaluation features

Network Indicators:

  • Increased traffic to notification-related API endpoints from authenticated users

SIEM Query:

source="metabase" AND (uri_path="/api/notification" OR uri_path="/api/email") AND user_authenticated=true

📊 Metadata

CVE ID: CVE-2026-27464
CVSS v3 Score: 7.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CWE: CWE-94
Published: February 21, 2026
Last Updated: March 2, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27464, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)