CVE-2026-59826: Metabase arbitrary code execution via unsafe H2 connection property validation bypass
CVE-2026-59826 is verified against metabase/metabase · github This critical reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00293.
pruva-verify REPRO-2026-00293 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00293/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh Metabase did not validate unsafe H2 connection properties on one database-creation code path, allowing an authenticated administrator to register a crafted H2 database connection and execute arbitrary Java code on the Metabase server. Affected versions: >= 1.55.0 < 1.58.15.1, >= 1.59.0 < 1.59.12, >= 1.60.0 < 1.60.6.3, >= 1.61.0 < 1.61.2. Fixed in 1.58.15.1, 1.59.12, 1.60.6.3, 1.61.2.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support · claim contract · reproduction · judge · variant analysis
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.