Platform
java
Component
metabase
Fixed in
1.54.23
1.55.1
1.56.1
1.57.1
1.58.1
1.59.1
CVE-2026-33725 is a Remote Code Execution (RCE) vulnerability discovered in Metabase Enterprise, an open-source business intelligence and embedded analytics tool. This flaw allows authenticated administrators to achieve RCE and arbitrary file read through a crafted serialization archive. The vulnerability affects versions of Metabase Enterprise prior to 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4. A fix is available in version 1.59.4.
An attacker exploiting CVE-2026-33725 can gain complete control over the Metabase Enterprise server. This is achieved by injecting a malicious INIT property into the H2 JDBC spec during a database sync via the /api/ee/serialization/import endpoint. Successful exploitation allows arbitrary SQL execution, enabling attackers to read sensitive data, modify the database, and ultimately execute arbitrary code on the server. The confirmed exploitation on Metabase Cloud demonstrates the real-world risk. The blast radius extends to any data accessible through the Metabase database, including user credentials, business reports, and potentially sensitive business data.
CVE-2026-33725 was publicly disclosed on 2026-03-27. No known public proof-of-concept (POC) exploits are currently available, but the vulnerability's nature (RCE via SQL injection) suggests a high likelihood of exploitation if a POC is released. The vulnerability is not currently listed on CISA KEV, but its HIGH severity warrants close monitoring. Active campaigns are not currently confirmed, but the ease of exploitation (requiring only admin authentication) makes it a potential target.
Exploit Status
EPSS
0.35% (57% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33725 is to immediately upgrade Metabase Enterprise to version 1.59.4 or later. If upgrading is not immediately feasible, consider restricting access to the /api/ee/serialization/import endpoint to trusted administrators only. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious serialization payloads can provide an additional layer of defense. Monitor Metabase logs for suspicious activity related to database synchronization and SQL execution. After upgrading, confirm the fix by attempting to import a serialization archive and verifying that no SQL injection occurs.
Update Metabase Enterprise to version 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, or 1.59.4 or later. As an alternative, disable the serialization import endpoint in your Metabase instance to prevent access to the vulnerable codepaths.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33725 is a Remote Code Execution vulnerability in Metabase Enterprise versions ≤ 1.59.0 and < 1.59.4. An authenticated admin can exploit it to execute arbitrary SQL, potentially leading to full server compromise.
You are affected if you are running Metabase Enterprise versions prior to 1.59.4. Metabase OSS is not affected by this vulnerability.
Upgrade Metabase Enterprise to version 1.59.4 or later to remediate the vulnerability. Consider restricting access to the /api/ee/serialization/import endpoint as an interim measure.
While no active exploitation campaigns have been confirmed, the vulnerability's nature suggests a high likelihood of exploitation if a public proof-of-concept is released.
Refer to the official Metabase security advisory for CVE-2026-33725 on the Metabase website: [https://www.metabase.com/security/]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.