CVE-2026-27464
Published: 21 February 2026
Summary
CVE-2026-27464 is a high-severity Code Injection (CWE-94) vulnerability in Metabase Metabase. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation through patching to Metabase versions 0.57.13 or 0.58.7, which fix the template evaluation flaw exposing database credentials.
Prevents code injection (CWE-94) in template evaluation by validating and sanitizing user inputs to email notification endpoints, blocking extraction of sensitive database credentials.
Enforces least functionality by disabling notifications as the recommended workaround, eliminating access to vulnerable endpoints that allow low-privileged users to disclose sensitive information.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote authenticated exploitation of Metabase web app (T1190) directly enables extraction of stored database credentials via template processing flaw (T1552).
NVD Description
Metabase is an open-source data analytics platform. In versions prior to 0.57.13 and versions 0.58.x through 0.58.6, authenticated users are able to retrieve sensitive information from a Metabase instance, including database access credentials. During testing, it was confirmed that a…
more
low-privileged user can extract sensitive information including database credentials, into the email body via template evaluation. This issue has been fixed in versions 0.57.13 and 0.58.7. To workaround this issue, users can disable notifications in their Metabase instance to disallow access to the vulnerable endpoints.
Deeper analysisAI
CVE-2026-27464 is a vulnerability in Metabase, an open-source data analytics platform, affecting versions prior to 0.57.13 and versions 0.58.x through 0.58.6. It enables authenticated users to retrieve sensitive information from a Metabase instance, including database access credentials. Testing confirmed that low-privileged users can extract this sensitive data, such as database credentials, into the email body through template evaluation. The flaw is associated with CWE-94 (code injection) and CWE-1336 (insufficient control of implicit action), and carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).
A low-privileged authenticated user can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. Exploitation occurs via access to vulnerable endpoints involved in email notifications and template processing, allowing the attacker to disclose high-impact confidential data like database credentials without affecting integrity or availability.
Metabase has fixed the issue in versions 0.57.13 and 0.58.7. As a workaround, users can disable notifications in their Metabase instance to prevent access to the vulnerable endpoints. Additional details are provided in the Metabase security advisory at GHSA-vcj8-rcm8-gfj9 and the release notes for the patched versions.
Details
- CWE(s)