Metabase: Server-Side Template Injection via Notifications Endpoint Leads to RCE

7.7 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Description

Metabase is an open-source data analytics platform. In versions prior to 0.57.13 and versions 0.58.x through 0.58.6, authenticated users are able to retrieve sensitive information from a Metabase instance, including database access credentials. During testing, it was confirmed that a low-privileged user can extract sensitive information including database credentials, into the email body via template evaluation. This issue has been fixed in versions 0.57.13 and 0.58.7. To workaround this issue, users can disable notifications in their Metabase instance to disallow access to the vulnerable endpoints.

Basic Information

ID CVE-2026-27464

Source GitHub_M

Published Feb 21, 2026 at 07:57

Affected Product

Vendor metabase

Product metabase

Version < 0.57.13

Affected Versions metabase metabase < 0.57.13
metabase metabase >= 0.58.x, < 0.58.7

CWE Classification

CWE-1336 CWE-94

References

{
    "lastseen": "",
    "description": "Metabase is an open-source data analytics platform. In versions prior to 0.57.13 and versions 0.58.x through 0.58.6, authenticated users are able to retrieve sensitive information from a Metabase instance, including database access credentials. During testing, it was confirmed that a low-privileged user can extract sensitive information including database credentials, into the email body via template evaluation. This issue has been fixed in versions 0.57.13 and 0.58.7. To workaround this issue, users can disable notifications in their Metabase instance to disallow access to the vulnerable endpoints.",
    "published": "2026-02-21T07:57:50.957Z",
    "modified": "2026-02-21T07:57:50.957Z",
    "type": "cve",
    "title": "Metabase: Server-Side Template Injection via Notifications Endpoint Leads to RCE",
    "source": "GitHub_M",
    "references": "https://github.com/metabase/metabase/security/advisories/GHSA-vcj8-rcm8-gfj9\nhttps://github.com/metabase/metabase/releases/tag/v0.57.13\nhttps://github.com/metabase/metabase/releases/tag/v0.58.7",
    "id": "CVE-2026-27464",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1336",
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "metabase metabase < 0.57.13\nmetabase metabase >= 0.58.x, < 0.58.7",
    "sourceHref": "",
    "cvss": {
        "score": 7.7,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "metabase",
    "version": "< 0.57.13",
    "vendor": "metabase",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Metabase: Server-Side Template Injection via Notifications Endpoint Leads to RCE_CVE-2026-27464