Skip to content
Verified reproduction

CVE-2026-59826: Metabase arbitrary code execution via unsafe H2 connection property validation bypass

CVE-2026-59826 is verified against metabase/metabase · github This critical reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00293.

REPRO-2026-00293 metabase/metabase · github Variant found Known vulnerability Jul 17, 2026 CVE entry .txt
Severity CRITICAL
Confidence HIGH
Reproduced in 92m 57s
Tool calls 348
Spend $27.81
$ pruva-verify REPRO-2026-00293
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00293/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

Metabase did not validate unsafe H2 connection properties on one database-creation code path, allowing an authenticated administrator to register a crafted H2 database connection and execute arbitrary Java code on the Metabase server. Affected versions: >= 1.55.0 < 1.58.15.1, >= 1.59.0 < 1.59.12, >= 1.60.0 < 1.60.6.3, >= 1.61.0 < 1.61.2. Fixed in 1.58.15.1, 1.59.12, 1.60.6.3, 1.61.2.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support · claim contract · reproduction · judge · variant analysis

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.

bundle/logs/fixed_commit_74032e5_relevant_diff.log4.8 KB
bundle/logs/vulnerable_loader_evidence.log0.6 KB
bundle/logs/fixed_loader_evidence.log0.6 KB
bundle/vuln_variant/source_identity.json1.0 KB
bundle/vuln_variant/root_cause_equivalence.json1.0 KB
bundle/logs/vuln_variant/fixed_tag_variant_code_anchors.log21.4 KB
bundle/repro/reproduction_steps.sh16.5 KB
bundle/repro/rca_report.md9.4 KB
bundle/repro/validation_verdict.json0.9 KB
bundle/repro/runtime_manifest.json1.4 KB
bundle/logs/reproduction_steps.log7.7 KB
bundle/logs/vuln_attempt_1_api.request.json0.3 KB
bundle/logs/vuln_attempt_1_api.response.json1.9 KB
bundle/logs/vuln_attempt_1_api.query_response.json1.5 KB
bundle/logs/vuln_attempt_2_api.request.json0.3 KB
bundle/logs/vuln_attempt_2_api.response.json1.9 KB
bundle/logs/vuln_attempt_2_api.query_response.json1.5 KB
bundle/logs/fixed_attempt_1_api.request.json0.3 KB
bundle/logs/fixed_attempt_1_api.response.json0.1 KB
bundle/logs/fixed_attempt_2_api.request.json0.3 KB
bundle/logs/fixed_attempt_2_api.response.json0.1 KB
bundle/artifacts/metabase-cve-2026-59826/vuln_attempt_1_marker.txt0.0 KB
bundle/artifacts/metabase-cve-2026-59826/vuln_attempt_2_marker.txt0.0 KB
bundle/logs/vulnerable_metabase.log388.9 KB
bundle/logs/fixed_metabase.log387.6 KB
bundle/vuln_variant/reproduction_steps.sh17.9 KB
bundle/vuln_variant/rca_report.md12.1 KB
bundle/vuln_variant/patch_analysis.md8.9 KB
bundle/vuln_variant/variant_manifest.json3.9 KB
bundle/vuln_variant/validation_verdict.json2.6 KB
bundle/vuln_variant/runtime_manifest.json1.3 KB
bundle/logs/vuln_variant/reproduction_steps.log4.5 KB
bundle/logs/vuln_variant/source_versions.txt0.3 KB
bundle/logs/vuln_variant/vuln_database_create.response.json0.1 KB
bundle/logs/vuln_variant/fixed_database_create.response.json0.1 KB
bundle/logs/vuln_variant/vuln_metabase.log417.0 KB
bundle/logs/vuln_variant/fixed_metabase.log416.7 KB
bundle/logs/vuln_variant/vuln_database_create.request.json0.3 KB
bundle/logs/vuln_variant/fixed_database_create.request.json0.3 KB
bundle/logs/vuln_variant/vuln_serialization_import.response.txt15.0 KB
bundle/logs/vuln_variant/fixed_serialization_import.response.txt15.0 KB
bundle/logs/vuln_variant/vuln_advanced_config_probe.response.txt0.0 KB
bundle/logs/vuln_variant/fixed_advanced_config_probe.response.txt0.0 KB