Data Exposure in Metabase Enterprise Edition Affects User Permissions
CVE-2025-27141

4.8MEDIUM

Key Information:

Vendor
Metabase
Status
Metabase
Vendor
CVE Published:
24 February 2025

Summary

In the Metabase Enterprise Edition, users with impersonation permissions can inadvertently access cached query results not meant for them. Specifically, if a query is executed by a user allowing caching, and an impersonated user subsequently runs the same query, the impersonated user can view cached results that contain data they are not authorized to see. This flaw affects versions 1.47.0 through 1.49.X, with remedial updates included in versions 1.50.36, 1.51.14, 1.52.11, and 1.53.2. Users are urged to upgrade or disable caching to mitigate this risk.

Affected Version(s)

metabase >= 1.47.0, < 1.50.36 < 1.47.0, 1.50.36

metabase >= 1.51.0, < 1.51.14 < 1.51.0, 1.51.14

metabase >= 1.52.0, < 1.51.11 < 1.52.0, 1.51.11

References

https://github.com/metabase/metabase/security/advisories/...
x_refsource_CONFIRM
https://www.metabase.com/docs/latest/configuring-metabase...
x_refsource_MISC
https://www.metabase.com/docs/latest/permissions/imperson...
x_refsource_MISC

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.