Remote Code Execution in Metabase Enterprise Affecting Open Source Business Intelligence Tool
CVE-2026-33725
What is CVE-2026-33725?
CVE-2026-33725 represents a significant security vulnerability within the Metabase Enterprise Edition, an open-source business intelligence tool designed for data analytics and visualization. This vulnerability specifically allows authenticated administrators to execute remote code due to an exploit within the serialization import process. Attackers can craft a malicious serialization archive that manipulates the H2 JDBC specification, enabling arbitrary SQL execution during database synchronization. This flaw affects versions of Metabase Enterprise preceding 1.54.22, among others, and poses a serious risk to organizations relying on this tool for their data operations. The ramifications of this vulnerability could lead to unauthorized access to sensitive data, data integrity violations, and a compromised computing environment if not addressed effectively.
Potential impact of CVE-2026-33725
-
Remote Code Execution (RCE): The vulnerability allows attackers to execute arbitrary code on the Metabase server, potentially leading to full system compromise, unauthorized changes to the software, and access to sensitive data stored within the database.
-
Data Breaches: Exploitation of this vulnerability could result in unauthorized access to protected data, including personal and business-sensitive information, leading to data breaches that may violate compliance regulations and damage organizational reputation.
-
Increased Attack Surface: As the vulnerability can be exploited by any authenticated administrator through a specific API endpoint, it increases the overall attack surface of Metabase installations, making it essential for organizations to apply patches or implement workarounds to mitigate risk effectively.
Affected Version(s)
metabase < 1.54.22 < 1.54.22
metabase >= 1.55.0, < 1.55.22 < 1.55.0, 1.55.22
metabase >= 1.56.0, < 1.56.22 < 1.56.0, 1.56.22
