Remote Code Execution Vulnerability in Metabase by Flawed Snowflake JDBC Driver
CVE-2026-50148

10CRITICAL

Key Information:

Vendor

Metabase

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-50148?

An identified vulnerability within Metabase allows users with the ability to add or edit database connections to potentially execute arbitrary code on the Metabase server. This occurs specifically when a connection to an attacker-controlled Snowflake server is configured, exploiting a flaw in the Snowflake JDBC driver. This flaw enables the unauthorized writing of files across the Metabase host, including critical Metabase database driver files, which can subsequently be executed within the Metabase process. Remediation has been applied in the latest versions of Metabase.

Affected Version(s)

metabase >= 1.54.0, < 1.54.24 < 1.54.0, 1.54.24

metabase >= 1.55.0, < 1.55.24 < 1.55.0, 1.55.24

metabase >= 1.56.0, < 1.56.25 < 1.56.0, 1.56.25

References

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.