{"api_version":"1","generated_at":"2026-07-16T18:19:17+00:00","cve":"CVE-2026-50147","urls":{"html":"https://cve.report/CVE-2026-50147","api":"https://cve.report/api/cve/CVE-2026-50147.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-50147","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-50147"},"summary":{"title":"Metabase: Arbitrary File Read via MySQL Connection Property Injection","description":"Metabase is an open-source business intelligence and embedded analytics tool. From 1.57.0 until 1.57.19.1, 1.58.14.1, 1.59.10, and 1.60.4, an attacker who can configure a Metabase database connection can read arbitrary files from the Metabase server's filesystem by adding unsafe JDBC parameters to a MySQL or MariaDB connection, causing the driver to read files from the Metabase host and expose the contents through queries against the connected database or through validation error messages. This issue is fixed in versions 1.57.19.1, 1.58.14.1, 1.59.10, and 1.60.4.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-07-15 16:16:47","updated_at":"2026-07-15 20:35:56"},"problem_types":["CWE-88","CWE-88 CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"7.6","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N","baseScore":7.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.6","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.6,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/metabase/metabase/security/advisories/GHSA-mfpj-crjq-xrcp","name":"https://github.com/metabase/metabase/security/advisories/GHSA-mfpj-crjq-xrcp","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-50147","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-50147","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"metabase","product":"metabase","version":"affected >= 1.57.0, < 1.57.19.1","platforms":[]},{"source":"CNA","vendor":"metabase","product":"metabase","version":"affected >= 1.58.0, < 1.58.14.1","platforms":[]},{"source":"CNA","vendor":"metabase","product":"metabase","version":"affected >= 1.59.0, < 1.59.10","platforms":[]},{"source":"CNA","vendor":"metabase","product":"metabase","version":"affected >= 1.60.0, < 1.60.4","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-50147","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-07-15T16:03:56.744985Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-15T16:04:03.343Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"metabase","vendor":"metabase","versions":[{"status":"affected","version":">= 1.57.0, < 1.57.19.1"},{"status":"affected","version":">= 1.58.0, < 1.58.14.1"},{"status":"affected","version":">= 1.59.0, < 1.59.10"},{"status":"affected","version":">= 1.60.0, < 1.60.4"}]}],"descriptions":[{"lang":"en","value":"Metabase is an open-source business intelligence and embedded analytics tool. From 1.57.0 until 1.57.19.1, 1.58.14.1, 1.59.10, and 1.60.4, an attacker who can configure a Metabase database connection can read arbitrary files from the Metabase server's filesystem by adding unsafe JDBC parameters to a MySQL or MariaDB connection, causing the driver to read files from the Metabase host and expose the contents through queries against the connected database or through validation error messages. This issue is fixed in versions 1.57.19.1, 1.58.14.1, 1.59.10, and 1.60.4."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.6,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-88","description":"CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-15T15:21:23.107Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/metabase/metabase/security/advisories/GHSA-mfpj-crjq-xrcp","tags":["x_refsource_CONFIRM"],"url":"https://github.com/metabase/metabase/security/advisories/GHSA-mfpj-crjq-xrcp"}],"source":{"advisory":"GHSA-mfpj-crjq-xrcp","discovery":"UNKNOWN"},"title":"Metabase: Arbitrary File Read via MySQL Connection Property Injection"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-50147","datePublished":"2026-07-15T15:21:23.107Z","dateReserved":"2026-06-03T18:49:32.276Z","dateUpdated":"2026-07-15T16:04:03.343Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-15 16:16:47","lastModifiedDate":"2026-07-15 20:35:56","problem_types":["CWE-88","CWE-88 CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N","baseScore":7.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":4.7}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-15T16:03:56.744985Z","id":"CVE-2026-50147","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"50147","Ordinal":"1","Title":"Metabase: Arbitrary File Read via MySQL Connection Property Inje","CVE":"CVE-2026-50147","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"50147","Ordinal":"1","NoteData":"Metabase is an open-source business intelligence and embedded analytics tool. From 1.57.0 until 1.57.19.1, 1.58.14.1, 1.59.10, and 1.60.4, an attacker who can configure a Metabase database connection can read arbitrary files from the Metabase server's filesystem by adding unsafe JDBC parameters to a MySQL or MariaDB connection, causing the driver to read files from the Metabase host and expose the contents through queries against the connected database or through validation error messages. This issue is fixed in versions 1.57.19.1, 1.58.14.1, 1.59.10, and 1.60.4.","Type":"Description","Title":"Metabase: Arbitrary File Read via MySQL Connection Property Inje"}]}}}