How to fix CVE-2026-27464?

Within 24 hours: Inventory all Metabase instances and identify those running vulnerable versions (pre-0.57.13 or 0.58.0-0.58.6). Within 7 days: Apply available patches to upgrade to Metabase 0.57.13, 0.58.7, or later on all instances. Within 30 days: Conduct credential rotation for all database accounts connected to patched Metabase instances and audit access logs for unauthorized credential extraction or data retrieval.

CVE-2026-27464

Q: Is Industrial affected by CVE-2026-27464?

Authenticated users in Metabase versions prior to 0.57.13 and 0.58.0-0.58.6 can extract sensitive information including database credentials, creating a significant insider threat and potential lateral movement risk.

HIGH

2026-02-21 [email protected]

7.7

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:04 vuln.today

Patch Released

Mar 02, 2026 - 15:38 nvd

Patch available

CVE Published

Feb 21, 2026 - 08:16 nvd

HIGH 7.7

Description

Metabase is an open-source data analytics platform. In versions prior to 0.57.13 and versions 0.58.x through 0.58.6, authenticated users are able to retrieve sensitive information from a Metabase instance, including database access credentials. During testing, it was confirmed that a low-privileged user can extract sensitive information including database credentials, into the email body via template evaluation. This issue has been fixed in versions 0.57.13 and 0.58.7. To workaround this issue, users can disable notifications in their Metabase instance to disallow access to the vulnerable endpoints.

Analysis

Metabase versions prior to 0.57.13 and 0.58.x through 0.58.6 allow authenticated users to extract sensitive data including database credentials through template injection in the notification system. An attacker with low privileges can exploit unsafe template evaluation to retrieve confidential information and expose database access credentials. …

Remediation

Within 24 hours: Inventory all Metabase instances and identify those running vulnerable versions (pre-0.57.13 or 0.58.0-0.58.6). Within 7 days: Apply available patches to upgrade to Metabase 0.57.13, 0.58.7, or later on all instances. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

CVE-2026-27464 vulnerability details – vuln.today

Back

CVE-2026-27464

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-27464

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code