Is CVE-2026-27464 actively exploited?

CVE-2026-27464 has no public evidence of in-the-wild exploitation as of 2026-03-02.

What is the CVSS score for CVE-2026-27464?

CVE-2026-27464 has a CVSS score of 7.7 (HIGH severity). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N.

How do I patch CVE-2026-27464?

Patch guidance is available from metabase security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2026-27464.

Fix CVE-2026-27464 - HIGH metabase metabase

Q: Which products are affected by CVE-2026-27464?

4 products: metabase metabase, metabase metabase, metabase metabase, metabase metabase.

Description

Metabase is an open-source data analytics platform. In versions prior to 0.57.13 and versions 0.58.x through 0.58.6, authenticated users are able to retrieve sensitive information from a Metabase instance, including database access credentials. During testing, it was confirmed that a low-privileged user can extract sensitive information including database credentials, into the email body via template evaluation. This issue has been fixed in versions 0.57.13 and 0.58.7. To workaround this issue, users can disable notifications in their Metabase instance to disallow access to the vulnerable endpoints.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector: network
Complexity: low
Privileges: low
User Action: none
Scope: changed
Confidentiality: high
Integrity: none
Availability: none
Weaknesses: CWE-94 · Code Injection CWE-1336

Metadata

Primary Vendor: METABASE
Published: 2/21/2026
Last Modified: 3/2/2026
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

CVE-2026-27464

Description

CVSS Metrics

Metadata

Affected Products

Remediation Guidance

Executive Summary