CVE-2026-50148

metabase · metabase

A critical vulnerability in Metabase allows users with database connection permissions to achieve remote code execution via a flaw in the Snowflake JDBC driver.

Executive summary

An attacker with existing database configuration permissions can achieve remote code execution on the host server by exploiting a file path manipulation flaw in the Metabase Snowflake integration.

Vulnerability

This vulnerability (CWE-73) allows an authenticated user to perform external control of file paths through the Snowflake JDBC driver. By configuring a connection to an attacker-controlled server, the attacker can write arbitrary files to the host, leading to full remote code execution.

Business impact

With a CVSS score of 10.0, this is a maximum-severity vulnerability. It allows an attacker to gain full control over the Metabase server, which often contains sensitive business intelligence data and credentials for connected databases. The impact includes total system compromise, data theft, and the potential for the server to be used as a pivot point in the internal network.

Remediation

Immediate Action: Upgrade to the specific patched versions listed for each release branch (e.g., 1.54.24, 1.55.24, etc.) immediately.

Proactive Monitoring: Review database connection configurations for any recent, unauthorized changes, particularly those pointing to external or unrecognized Snowflake instances.

Compensating Controls: Restrict the ability to add or edit database connections to a strictly controlled set of administrative users to minimize the attack surface.

Exploitation status

Public Exploit Available: No

Analyst recommendation

The severity of this vulnerability necessitates immediate patching. Organizations should identify all active Metabase deployments and ensure they are updated to the corresponding fixed version to prevent unauthorized remote code execution and potential data breaches.