CVE-2026-27464 Overview
CVE-2026-27464 is a high-severity code injection vulnerability affecting Metabase, an open-source data analytics platform. The vulnerability allows authenticated users to retrieve sensitive information from a Metabase instance, including database access credentials, through improper template evaluation in the notification system.
Critical Impact
Low-privileged authenticated users can extract database credentials and other sensitive information via template injection in email notifications, potentially compromising connected data sources.
Affected Products
- Metabase versions prior to 0.57.13
- Metabase versions 0.58.0 through 0.58.6
Discovery Timeline
- 2026-02-21 - CVE-2026-27464 published to NVD
- 2026-02-23 - Last updated in NVD database
Technical Details for CVE-2026-27464
Vulnerability Analysis
This vulnerability is classified under CWE-94 (Improper Control of Generation of Code - Code Injection). The flaw exists in Metabase's notification system, specifically in how template evaluation is handled when generating email content. Authenticated users, even those with minimal privileges, can exploit the template evaluation mechanism to extract sensitive configuration data from the Metabase instance.
The vulnerability is particularly concerning because Metabase stores database connection credentials to facilitate data analytics functionality. An attacker who successfully exploits this vulnerability can extract these credentials and gain unauthorized access to connected databases, potentially leading to data breaches affecting systems beyond the Metabase application itself.
Root Cause
The root cause of this vulnerability lies in improper template processing within the notification subsystem. The template evaluation engine does not adequately restrict access to sensitive internal objects and configuration data. When processing notification templates, the engine allows users to inject expressions that can access and exfiltrate database credentials and other sensitive configuration information through the resulting email body.
Attack Vector
The attack is network-based and requires low-privilege authentication to the Metabase platform. An attacker would need to:
- Authenticate to the Metabase instance with any valid user account
- Access the notification functionality
- Craft malicious template expressions designed to extract sensitive data
- Trigger the notification system to process the malicious template
- Receive the email containing the exfiltrated sensitive information
The vulnerability allows information to be extracted into the email body, making it straightforward for attackers to capture database credentials and other sensitive configuration data. Since the attack requires only low-level authentication and no user interaction, it presents a significant risk to organizations running vulnerable Metabase versions.
Detection Methods for CVE-2026-27464
Indicators of Compromise
- Unusual notification template modifications or creations by low-privileged users
- Email notifications containing database connection strings or credential patterns
- Unexpected access to notification-related API endpoints
- Audit logs showing template evaluation with suspicious expressions
Detection Strategies
- Monitor Metabase audit logs for unusual activity in notification configuration endpoints
- Implement email content inspection for patterns matching database credentials or connection strings
- Review user activity logs for low-privileged accounts accessing notification features
- Deploy application-layer monitoring to detect template injection patterns
Monitoring Recommendations
- Enable comprehensive logging for all notification-related operations in Metabase
- Configure alerts for any modifications to notification templates by non-administrative users
- Implement outbound email scanning to detect potential credential leakage
- Regularly audit user permissions and notification configurations
How to Mitigate CVE-2026-27464
Immediate Actions Required
- Upgrade Metabase to version 0.57.13 or 0.58.7 immediately
- Review notification configurations for any suspicious templates
- Audit recent notification activity for potential exploitation attempts
- Rotate database credentials if exploitation is suspected
- Review and restrict user access to notification features
Patch Information
Metabase has released security patches addressing this vulnerability. Organizations should upgrade to one of the following fixed versions:
- Version 0.57.13 - Patch for the 0.57.x release branch (GitHub Metabase Release v0.57.13)
- Version 0.58.7 - Patch for the 0.58.x release branch (GitHub Metabase Release v0.58.7)
For detailed information about this vulnerability, refer to the GitHub Security Advisory GHSA-vcj8-rcm8-gfj9.
Workarounds
- Disable notifications in the Metabase instance to prevent access to vulnerable endpoints
- Restrict user permissions to limit access to notification configuration features
- Implement network segmentation to limit potential lateral movement if credentials are compromised
- Apply principle of least privilege for database accounts used by Metabase
# Example: Disable notifications via environment variable (consult Metabase documentation)
export MB_DISABLE_NOTIFICATIONS=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
