{
  "variant_id": "pruva-cve-2026-59826-negative-variant-review",
  "created_at": "2026-07-17T07:37:00Z",
  "variant_summary": "No distinct bypass or alternate trigger was confirmed. Candidate database-detail entry points outside the parent database-routing destination endpoint were blocked, guarded, or unavailable in Metabase Enterprise v1.61.1/v1.61.2 runtime tests and fixed-tag source review.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/metabase/metabase",
  "submitted_target": {
    "target_kind": "container_image",
    "commit_sha": "770276bdddee78aed8ee0f75cdddd61a744664d4",
    "version": "v1.61.1",
    "ref": "metabase/metabase-enterprise:v1.61.1",
    "display": "Metabase Enterprise v1.61.1 (parent vulnerable target)"
  },
  "variant_target": {
    "target_kind": "container_image",
    "commit_sha": "74032e5e0a5a70dc45a6a744d37b9ba24eee8d01",
    "version": "v1.61.2",
    "ref": "metabase/metabase-enterprise:v1.61.2",
    "display": "Metabase Enterprise v1.61.2 (fixed target tested for bypass)"
  },
  "same_root_cause_confidence": "medium",
  "same_surface_confidence": "low",
  "claimed_surface": "api_remote_admin_database_details",
  "validated_surface": "none",
  "required_entrypoint_kind": "endpoint",
  "required_entrypoint_detail": "Candidates: POST /api/database, POST /api/ee/serialization/import, and probe for POST /api/ee/advanced-config/; none produced fixed-version execution.",
  "attacker_controlled_input": "H2 details.db connection string with escaped semicolon SQL payload",
  "trigger_path": "Attempt alternate database-detail persistence/open paths outside /api/ee/database-routing/destination-database, then POST /api/dataset if a database row is created",
  "observed_impact_class": "none",
  "exploitability_confidence": "low",
  "evidence_scope": "bounded_runtime_and_source_review",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": "No candidate alternate entry point persisted unsafe H2 details and executed on fixed v1.61.2.",
  "blocking_mitigation": "driver/validate-db-details! on the fixed database-routing endpoint, existing driver/can-connect? validation on normal database APIs, serialization assert-not-h2! guard, and absence of the runtime advanced-config endpoint in tested images.",
  "file_path": "enterprise/backend/src/metabase_enterprise/database_routing/api.clj",
  "line_start": 38,
  "line_end": 63,
  "secondary_anchors": [
    {
      "file_path": "src/metabase/driver/h2.clj",
      "line_start": 118,
      "line_end": 140
    },
    {
      "file_path": "src/metabase/warehouses/api.clj",
      "line_start": 864,
      "line_end": 898
    },
    {
      "file_path": "src/metabase/warehouses/models/database.clj",
      "line_start": 573,
      "line_end": 586
    },
    {
      "file_path": "enterprise/backend/src/metabase_enterprise/advanced_config/file/databases.clj",
      "line_start": 79,
      "line_end": 89
    }
  ],
  "review_scope_paths": [
    "enterprise/backend/src/metabase_enterprise/database_routing/api.clj",
    "src/metabase/driver/h2.clj",
    "src/metabase/warehouses/api.clj",
    "src/metabase/warehouses_rest/api.clj",
    "src/metabase/warehouses/models/database.clj",
    "enterprise/backend/src/metabase_enterprise/advanced_config/file/databases.clj",
    "enterprise/backend/src/metabase_enterprise/serialization/api.clj",
    "enterprise/backend/src/metabase_enterprise/serialization/v2/load.clj"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/reproduction_steps.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh"
    ]
  }
}
