A recap of the notifications endpoint vulnerability and our response.

Metabase is an open-source business intelligence (BI) tool for data visualization and analytics. Readers can find documentation, tutorials, and community forums to learn about using Metabase for data exploration, dashboard creation, and generating insights from data. Additionally, they can learn about connecting Metabase to various data sources, building custom dashboards, and sharing reports with stakeholders.

Metabase

A security researcher discovered a vulnerability in Metabase's notification API that allowed authenticated users to craft Handlebars templates capable of extracting database credentials and sending them via outbound email. The flaw arose from two independent changes: adding user-supplied Handlebars template support and exposing metadata objects in query results that could be traversed to reach database connection details. Metabase fixed the issue by removing the Handlebars method resolver and stripping metadata from notification rendering contexts. No evidence of exploitation was found before the patch. Self-hosted users on versions 55–58 should upgrade to the specified point releases immediately. Future mitigations include improved template rendering logging and a wrapper around database credential access.

February 2026 vulnerability: What happened?

What are we doing to prevent this in the future?