📄 Description (English)
Metabase is an open-source data analytics platform. In versions prior to 0.57.13 and versions 0.58.x through 0.58.6, authenticated users are able to retrieve sensitive information from a Metabase instance, including database access credentials. During testing, it was confirmed that a low-privileged user can extract sensitive information including database credentials, into the email body via template evaluation. This issue has been fixed in versions 0.57.13 and 0.58.7. To workaround this issue, users can disable notifications in their Metabase instance to disallow access to the vulnerable endpoints.
🤖 AI Executive Summary
CVE-2026-27464 is a high-severity vulnerability in Metabase affecting versions prior to 0.57.13 and 0.58.x through 0.58.6, allowing authenticated users to extract sensitive information including database credentials through template evaluation in notification features. The vulnerability poses significant risk to organizations using Metabase for business intelligence and analytics, as it enables privilege escalation and unauthorized access to backend database systems. Immediate patching to versions 0.57.13 or 0.58.7+ is critical to prevent credential compromise.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 29, 2026 15:34
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using Metabase for business intelligence and analytics—particularly in banking (SAMA-regulated institutions), government agencies (NCA oversight), healthcare systems, energy sector (ARAMCO and subsidiaries), and telecommunications (STC, Mobily)—face significant risk of credential compromise. The vulnerability enables low-privileged users to extract database access credentials, potentially leading to unauthorized access to critical business data, financial records, and operational systems. Financial institutions and government entities are at highest risk due to the sensitivity of data stored in their analytics platforms and regulatory compliance implications under SAMA CSF and NCA ECC frameworks.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
Insurance
Retail and E-commerce
Manufacturing
🎯 MITRE ATT&CK Techniques
T1110 - Brute Force
T1187 - Forced Authentication
T1589 - Gather Victim Identity Information
T1590 - Gather Victim Network Information
T1592 - Gather Victim Host Information
T1040 - Network Sniffing
T1557 - Adversary-in-the-Middle
T1555 - Credentials from Password Stores
T1056 - Input Capture
T1021 - Remote Service Session Initiation
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Metabase instances in your environment and verify current versions
2. Disable notification features immediately as a temporary workaround if patching cannot be completed within 48 hours
3. Review access logs for suspicious notification-related activities or template evaluation attempts
4. Audit user accounts with notification permissions and restrict to essential personnel only
PATCHING GUIDANCE:
1. Upgrade Metabase to version 0.57.13 or later (for 0.57.x branch)
2. Upgrade to version 0.58.7 or later (for 0.58.x branch)
3. Test patches in non-production environment before deployment
4. Schedule maintenance window for production upgrades with minimal business impact
COMPENSATING CONTROLS (if immediate patching not possible):
1. Disable email notifications and alert features in Metabase settings
2. Restrict network access to Metabase notification endpoints using WAF/firewall rules
3. Implement strict role-based access control (RBAC) limiting notification creation to administrators only
4. Monitor and log all notification configuration changes
5. Implement database credential rotation for all accounts accessible via Metabase
DETECTION RULES:
1. Monitor for POST requests to /api/email/preview or notification-related endpoints with template parameters
2. Alert on template evaluation patterns containing database credential references (password, secret, key patterns)
3. Track notification creation/modification by non-admin users
4. Monitor email logs for unusual credential-containing messages
5. Implement SIEM rules to detect CWE-94 (code injection) patterns in Metabase logs
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع مثيلات Metabase في بيئتك وتحقق من الإصدارات الحالية
2. عطّل ميزات الإخطارات فوراً كحل مؤقت إذا لم يكن التحديث ممكناً خلال 48 ساعة
3. راجع سجلات الوصول للأنشطة المريبة المتعلقة بالإخطارات أو محاولات تقييم القوالب
4. قم بتدقيق حسابات المستخدمين التي لديها أذونات الإخطارات وقيدها على الموظفين الأساسيين فقط
إرشادات التصحيح:
1. قم بترقية Metabase إلى الإصدار 0.57.13 أو أحدث (لفرع 0.57.x)
2. قم بترقية إلى الإصدار 0.58.7 أو أحدث (لفرع 0.58.x)
3. اختبر التصحيحات في بيئة غير الإنتاج قبل النشر
4. جدول نافذة صيانة لترقيات الإنتاج بأقل تأثير على الأعمال
الضوابط البديلة (إذا لم يكن التحديث الفوري ممكناً):
1. عطّل إخطارات البريد الإلكتروني وميزات التنبيهات في إعدادات Metabase
2. قيّد الوصول إلى نقاط نهاية إخطارات Metabase باستخدام قواعد WAF/جدار الحماية
3. طبّق التحكم في الوصول القائم على الأدوار (RBAC) بتقييد إنشاء الإخطارات للمسؤولين فقط
4. راقب وسجّل جميع تغييرات تكوين الإخطارات
5. طبّق تدوير بيانات اعتماد قاعدة البيانات لجميع الحسابات التي يمكن الوصول إليها عبر Metabase
قواعد الكشف:
1. راقب طلبات POST إلى /api/email/preview أو نقاط نهاية الإخطارات ذات الصلة مع معاملات القالب
2. أصدر تنبيهات على أنماط تقييم القوالب التي تحتوي على مراجع بيانات اعتماد قاعدة البيانات
3. تتبع إنشاء/تعديل الإخطارات من قبل المستخدمين غير الإداريين
4. راقب سجلات البريد الإلكتروني للرسائل التي تحتوي على بيانات اعتماد غير عادية
5. طبّق قواعد SIEM للكشف عن أنماط CWE-94 (حقن الأكواد) في سجلات Metabase
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policies
ECC 2024 A.6.1.2 - User Access Management
ECC 2024 A.8.2.1 - Classification of Information
ECC 2024 A.8.2.3 - Handling of Assets
ECC 2024 A.12.2.1 - Event Logging
ECC 2024 A.12.4.1 - Recording User Activities
🔵 SAMA CSF
SAMA CSF 1.1 - Governance and Risk Management
SAMA CSF 2.1 - Asset Management and Protection
SAMA CSF 2.2 - Data Protection and Privacy
SAMA CSF 3.1 - Access Control
SAMA CSF 4.1 - Detection and Analysis
SAMA CSF 5.1 - Response and Recovery
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 - Policies for Information Security
ISO 27001:2022 A.6.1 - Screening
ISO 27001:2022 A.8.1 - User Endpoint Devices
ISO 27001:2022 A.8.2 - Privileged Access Rights
ISO 27001:2022 A.8.3 - Information Access Restriction
ISO 27001:2022 A.12.4 - Logging
🟣 PCI DSS v4.0.1
PCI DSS 3.2.1 - Render PAN Unreadable
PCI DSS 6.5.1 - Injection Flaws
PCI DSS 7.1 - Limit Access to System Components
PCI DSS 8.1 - Assign Unique ID to Each User
PCI DSS 10.2 - Implement Automated Audit Trails
🔗 References & Sources 3