Metabase Sensitive Info Disclosure via Notification Endpoint (CVE-2026-27464)

Critical Vulnerability Summary Vulnerability Title: Authenticated users are able to retrieve sensitive information from a Metabase instance, including database access credentials. Disclosure Date: 2 days ago Affected Scope Affected Versions: - Metabase OSS: <x.57.13, <x.58.7 - Metabase Enterprise: <x.57.13, <x.58.7 Fixed Versions: - 0.57.13, 0.58.7, 1.57.13, 1.58.7 Vulnerability Description Impact: By providing a specific template to the notification endpoint, code submitted can be executed on the server side within the notification payload, and the rendered output is included in outgoing emails. It has been confirmed that low-privileged users can extract sensitive information, including database credentials, from the email content via template evaluation. Remediation Download Links for Fixed Versions: - v0.57.13: - Docker Image: - JAR Download: https://downloads.metabase.com/v0.57.13/metabase.jar - v1.57.13: - Docker Image: - JAR Download: https://downloads.metabase.com/enterprise/v1.57.13/metabase.jar - v0.58.7: - Docker Image: - JAR Download: https://downloads.metabase.com/v0.58.7/metabase.jar - v1.58.7: - Docker Image: - JAR Download: https://downloads.metabase.com/enterprise/v1.58.7/metabase.jar Temporary Mitigation Users can disable notifications in their Metabase instance to prevent access to the vulnerable endpoint. Additional Information Severity: 7.7/10 CVSS 3.1 Base Metrics: - Attack Vector: Network - Attack Complexity: Low - Required Privileges: Low - User Interaction: None - Scope: Changed - Confidentiality: High - Integrity: None - Availability: None CVE ID: CVE-2026-27464 Acknowledgments: Thanks to Sho Odagiri of GMO Cybersecurity by Ierae, Inc. for discovering and responsibly disclosing this vulnerability.

Goal Reached Thanks to every supporter — we hit 100%!

Metabase Sensitive Info Disclosure via Notification Endpoint (CVE-2026-27464)

More from this source