Remote Code Execution in Metabase Enterprise Affecting Open Source Business Intelligence Tool
CVE-2026-33725

7.2HIGH

Key Information:

Vendor: Metabase
Status: Metabase
Vendor: CVE Published:; 27 March 2026

What is CVE-2026-33725?

In Metabase Enterprise prior to specific versions, authenticated admins can exploit a vulnerability via the POST /api/ee/serialization/import endpoint. By crafting a serialization archive with an injected INIT property in the H2 JDBC specification, attackers can execute arbitrary SQL during database synchronization. This issue compromises both the integrity and security of the application, as it allows unauthorized access to critical components of the system. Importantly, the affected code paths originate from version 1.47 onward. Users are urged to apply patches provided in the affected versions or to disable the serialization import endpoint to mitigate the risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

metabase < 1.54.22 < 1.54.22

metabase >= 1.55.0, < 1.55.22 < 1.55.0, 1.55.22

metabase >= 1.56.0, < 1.56.22 < 1.56.0, 1.56.22

References

https://github.com/metabase/metabase/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 27, 2026
Vulnerability Reserved
Mar 23, 2026

JSON

Metabase

What is CVE-2026-33725?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.