February 2026 vulnerability: What happened?

A security researcher discovered a vulnerability in Metabase's notification API that allowed authenticated users to craft Handlebars templates capable of extracting database credentials and sending them via outbound email. The flaw arose from two independent changes: adding user-supplied Handlebars template support and exposing metadata objects in query results that could be traversed to reach database connection details. Metabase fixed the issue by removing the Handlebars method resolver and stripping metadata from notification rendering contexts. No evidence of exploitation was found before the patch. Self-hosted users on versions 55–58 should upgrade to the specified point releases immediately. Future mitigations include improved template rendering logging and a wrapper around database credential access.