CVE-2026-27464: Metabase Flaw Lets Low-Privilege Users Steal Database Credentials via Notification Templates

Aegiron 9 mins0

CVE-2026-27464 — Metabase Credential Exposure Vulnerability

CVE Name: Credential Extraction via Notification Template Evaluation
CVE ID: CVE-2026-27464
CVSS v3.1 Score: 7.7 (High)
Severity: High
Exploitability:

  • Remote exploitation possible over network.
  • Requires authenticated access with a low-privileged user account.
  • No special user interaction beyond sending a crafted request.
    Exploit Availability: While there is no widespread published proof-of-concept script available from adversary repositories, the vulnerability arises from server-side template execution — a concept well understood by attackers and easy to adapt into a working exploit in practice.

Overview (What This Vulnerability Is)

Metabase contains a flaw in how it processes notification templates. Templates are used for email notifications that include dynamic content. In vulnerable versions, Metabase evaluated template logic on the server using the user-provided content. Because the internal template engine can reference internal server properties, an attacker who controls a template could cause the server to include internal values in the rendered content.

In real-world tests, this allowed a low-privileged user account to cause Metabase to send out email bodies that contained database connection strings and credentials stored by Metabase for connecting to backend databases. This is not simple visualization data — this is sensitive configuration that attackers can use to access databases directly.

This class of issue is conceptually a server-side template injection and information disclosure vulnerability.

Affected and Patched Versions

  • Versions earlier than 0.57.13 and
  • All instances in the 0.58.x series up to 0.58.6.

Patched versions include:

  • 0.57.13
  • 0.58.7
  • Corresponding Enterprise builds.

If your Metabase instance is below these versions, it is vulnerable.

How an Exploit Might Work

An attacker with a valid low-privilege account could:

  1. Submit a crafted notification template through the Metabase API.
  2. The server would evaluate that template for dynamic parts.
  3. Because the server-side template engine allows access to underlying server state, the attacker can cause sensitive values (credentials, config strings) to be rendered into the output.
  4. Metabase would then send that rendered output through its notification mechanism, usually email.
  5. The attacker receives the email and reads out the sensitive database credentials or other internal values.

Once database credentials are obtained, attackers can connect directly to the backend database with elevated access outside the Metabase application itself.

Exploitation Complexity

Exploitation is not trivial for an unauthenticated attacker. You must have an authenticated account with even minimal user rights. However, low-privileged accounts are common in environments where end users are allowed to create reports, dashboards, or notifications. That makes this vulnerability more dangerous in shared environments where many users have login access.

Detection Strategies

Detecting this vulnerability in action involves a blend of application logs, web access logs, and outgoing notification analysis.

Log Sources to Analyze

  • Application logs – internal Metabase logs that show incoming API calls and template operations.
  • Web server logs (access logs) – capture HTTP requests to the API notification endpoints.
  • SMTP / email logs – capture outgoing email content for any suspicious template evaluation results.
  • Database logs – to detect unusual connections from the Metabase host with new credentials.

Indicators of Compromise (IoCs)

Look for patterns that deviate from normal user notification behavior:

  • REST API calls from authenticated users to endpoints like:
    • /api/notification
    • /api/notifications
  • Request bodies containing template syntax like:
    • {{ ... }}, <% ... %>, ${ ... }
  • Outgoing emails whose bodies contain:
    • Strings that resemble database connection formats (e.g., jdbc:, host=, user=, password=).
  • Unusual database connection attempts originating from the Metabase host following a notification action.

Detection Rules and Queries

Web Access Monitoring

Example detection query (generic SIEM concept):

filter http.method == "POST"
and http.path contains "/api/notification"
and http.request.body matches "(\\{\\{|\\$\\{|%\\{)"

Trigger if a POST to the notification API contains template syntax.

Email Body Content Monitoring

Monitor SMTP logs for outgoing messages with credential patterns:

search body matches "jdbc:" OR "password=" OR "user="

Flag any outgoing email from Metabase that carries internal configuration indicators.

Application Log Anomalies

Check for template rendering operations that occur outside normal usage times:

app_logs | where message contains "render_template" and response contains "jdbc:"

Alert on unusual template rendering responses that include credential-like artefacts.

Recommended Mitigations

  1. Immediate Upgrade: Apply the official patch or upgrade package available at:
    👉 https://github.com/metabase/metabase/releases/tag/v0.57.13
  2. Temporary Workaround: If you cannot upgrade immediately, disable the notification feature in Metabase entirely. This prevents access to the vulnerable template endpoint until you can apply the patch.
  3. Rotate Credentials: After patching, rotate any database credentials previously stored in Metabase to ensure leaked values are no longer valid.
  4. Tight Access Control: Restrict who can create or modify notification templates in Metabase. Limit this to trusted administrators only.

Detection Best Practices

  • Alert when non-admin users start creating or submitting notification templates.
  • Integrate outgoing email monitoring into security analytics to catch unexpected contents.
  • Treat involvement of database credentials in any user-generated email as a high-priority incident.

Summary

CVE-2026-27464 is a serious vulnerability in Metabase’s template handling that allows a low-privileged account to cause internal credentials to appear in outgoing notifications. It is straightforward for attackers with access to an authenticated account to abuse this when the server evaluates templates incorrectly.

The only reliable fix is to apply the official patch/upgrade at the link provided. Detecting exploitation requires careful monitoring of API calls, template submissions, and email payloads for signs of sensitive information. Acting quickly will prevent credential theft and use of the exposed database backend.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.