Skip to main content

Metabase EUVDEUVD-2026-44701

| CVE-2026-50148 CRITICAL
External Control of File Name or Path (CWE-73)
2026-07-15 GitHub_M
10.0
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.1 CRITICAL

Requires a privileged connection-management/admin user (PR:H, not PR:N), driver file write escapes the app to compromise the whole host (S:C) yielding full host RCE (C/I/A:H).

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jul 15, 2026 - 17:48 EUVD
Analysis Generated
Jul 15, 2026 - 15:49 vuln.today
CVE Published
Jul 15, 2026 - 15:18 cve.org
CRITICAL 10.0

DescriptionCVE.org

Metabase is an open-source business intelligence and embedded analytics tool. From 1.54.0 until 1.54.24, 1.55.24, 1.56.25, 1.57.19, 1.58.14, 1.59.10, and 1.60.4, a Metabase user with permission to add or edit a database connection can achieve remote code execution on the Metabase server by configuring a Snowflake connection to an attacker-controlled server, because a flaw in the Snowflake JDBC driver can write arbitrary files anywhere on the Metabase host, including replacing one of Metabase's own database driver files that later executes inside the Metabase process. This issue is fixed in versions 1.54.24, 1.55.24, 1.56.25, 1.57.19, 1.58.14, 1.59.10, and 1.60.4.

AnalysisAI

Remote code execution in Metabase (open-source business intelligence platform) versions 1.54.0 through the fixed releases lets a user holding database-connection management rights run arbitrary code on the Metabase server. By pointing a Snowflake connection at an attacker-controlled server, a flaw in the bundled Snowflake JDBC driver writes attacker files anywhere on the host, overwriting one of Metabase's own driver files that later executes inside the Metabase process. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain Metabase account with DB-management rights
Delivery
Stand up malicious Snowflake server
Exploit
Configure Snowflake connection to it
Install
JDBC driver writes arbitrary file
C2
Overwrite Metabase driver file
Execute
Driver loads and executes code
Impact
RCE on Metabase host

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Metabase account that holds permission to add or edit a database connection (a database-management/admin-level capability), plus the ability to configure a Snowflake-type connection pointing at an attacker-controlled server that impersonates Snowflake and drives the JDBC driver's arbitrary file write. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H = 10.0) presents this as trivially exploitable and unauthenticated, but the description directly contradicts PR:N: exploitation requires 'a Metabase user with permission to add or edit a database connection,' which is a privileged, authenticated operation - verify with the vendor, as this materially lowers real-world exposure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained (or been granted) a Metabase account with database-management permission stands up a malicious server that speaks the Snowflake protocol, then creates or edits a Metabase database connection pointing at it. When Metabase's Snowflake JDBC driver connects, the malicious server drives it to overwrite one of Metabase's own driver files on disk, and the next time that driver is loaded the attacker's code runs inside the Metabase process. …
Remediation Vendor-released patch: upgrade to 1.54.24, 1.55.24, 1.56.25, 1.57.19, 1.58.14, 1.59.10, or 1.60.4 depending on your current branch, per the advisory at https://github.com/metabase/metabase/security/advisories/GHSA-r6x2-rchx-q9g9. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all Metabase deployments running versions 1.54.0 or later and confirm which instances have Snowflake connections configured; note that while no public exploit has been identified at time of analysis, the vulnerability carries a CVSS score of 10.0. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-38646 CRITICAL POC
9.8 Jul 21

Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary comman

CVE-2021-41277 HIGH POC
7.5 Nov 17

Metabase is an open source data analytics platform. Rated high severity (CVSS 7.5), this vulnerability is remotely explo

CVE-2022-43776 MEDIUM POC
6.5 Oct 26

The url parameter of the /api/geojson endpoint in Metabase versions <44.5 can be used to perform Server Side Request For

CVE-2023-37470 CRITICAL
9.8 Aug 04

Metabase is an open-source business intelligence and analytics platform. Rated critical severity (CVSS 9.8), this vulner

CVE-2023-32680 CRITICAL
9.6 May 18

Metabase is an open source business analytics engine. Rated critical severity (CVSS 9.6), this vulnerability is remotely

CVE-2022-24853 MEDIUM POC
5.3 Apr 14

Metabase is an open source business intelligence and analytics application. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-59827 HIGH
8.8 Jul 09

Remote code execution in Metabase's H2 database driver allows an authenticated user with native-query privileges to run

CVE-2022-39362 HIGH
8.8 Oct 26

Metabase is data visualization software. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low

CVE-2022-39361 HIGH
8.8 Oct 26

Metabase is data visualization software. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low

CVE-2022-24854 HIGH
8.8 Apr 14

Metabase is an open source business intelligence and analytics application. Rated high severity (CVSS 8.8), this vulnera

CVE-2026-27464 HIGH
7.7 Feb 21

Metabase versions prior to 0.57.13 and 0.58.x through 0.58.6 allow authenticated users to extract sensitive data includi

CVE-2026-50147 HIGH
7.6 Jul 15

Arbitrary file read in Metabase (versions from 1.57.0 up to the fixed releases) allows an attacker who already holds dat

Share

EUVD-2026-44701 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy