Remote Code Execution in Metabase Enterprise Affecting Open Source Business Intelligence Tool
CVE-2026-33725

7.2HIGH

Key Information:

Vendor

Metabase

Status
Vendor
CVE Published:
27 March 2026

What is CVE-2026-33725?

CVE-2026-33725 represents a significant security vulnerability within the Metabase Enterprise Edition, an open-source business intelligence tool designed for data analytics and visualization. This vulnerability specifically allows authenticated administrators to execute remote code due to an exploit within the serialization import process. Attackers can craft a malicious serialization archive that manipulates the H2 JDBC specification, enabling arbitrary SQL execution during database synchronization. This flaw affects versions of Metabase Enterprise preceding 1.54.22, among others, and poses a serious risk to organizations relying on this tool for their data operations. The ramifications of this vulnerability could lead to unauthorized access to sensitive data, data integrity violations, and a compromised computing environment if not addressed effectively.

Potential impact of CVE-2026-33725

  1. Remote Code Execution (RCE): The vulnerability allows attackers to execute arbitrary code on the Metabase server, potentially leading to full system compromise, unauthorized changes to the software, and access to sensitive data stored within the database.

  2. Data Breaches: Exploitation of this vulnerability could result in unauthorized access to protected data, including personal and business-sensitive information, leading to data breaches that may violate compliance regulations and damage organizational reputation.

  3. Increased Attack Surface: As the vulnerability can be exploited by any authenticated administrator through a specific API endpoint, it increases the overall attack surface of Metabase installations, making it essential for organizations to apply patches or implement workarounds to mitigate risk effectively.

Affected Version(s)

metabase < 1.54.22 < 1.54.22

metabase >= 1.55.0, < 1.55.22 < 1.55.0, 1.55.22

metabase >= 1.56.0, < 1.56.22 < 1.56.0, 1.56.22

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.