CVE-2026-50147 in Metabaseinfo

Summary

by MITRE • 07/15/2026

Metabase is an open-source business intelligence and embedded analytics tool. From 1.57.0 until 1.57.19.1, 1.58.14.1, 1.59.10, and 1.60.4, an attacker who can configure a Metabase database connection can read arbitrary files from the Metabase server's filesystem by adding unsafe JDBC parameters to a MySQL or MariaDB connection, causing the driver to read files from the Metabase host and expose the contents through queries against the connected database or through validation error messages. This issue is fixed in versions 1.57.19.1, 1.58.14.1, 1.59.10, and 1.60.4.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

This vulnerability affects Metabase business intelligence platform versions ranging from 1.57.0 through 1.57.19.1, 1.58.14.1, 1.59.10, and 1.60.4, representing a critical server-side file inclusion flaw that enables attackers to extract arbitrary files from the host system. The technical implementation involves unsafe JDBC parameter handling within MySQL and MariaDB connection configurations, where specifically crafted parameters can cause the underlying database driver to read local filesystem contents and expose them through database query results or error messages. This represents a classic path traversal vulnerability that operates at the database driver level rather than application logic, making it particularly dangerous as it bypasses typical application security controls.

The operational impact of this vulnerability extends beyond simple information disclosure, as attackers can potentially access sensitive configuration files, credential stores, and other system resources that may contain authentication tokens, API keys, or database connection strings. The flaw operates through JDBC driver parameter injection where unsafe parameters like "allowLoadLocalInfile" or similar options can be manipulated to trigger file reading behavior from the Metabase server's filesystem. This vulnerability aligns with CWE-22 Path Traversal and CWE-94 Code Injection categories, demonstrating how database driver misconfiguration can lead to severe system compromise. The ATT&CK framework would categorize this under T1566 Initial Access through Vulnerability Exploitation, specifically targeting the Database Service component.

Security professionals should immediately implement mitigation strategies including restricting database connection configuration capabilities to authorized administrators only, disabling potentially dangerous JDBC parameters such as "allowLoadLocalInfile" and "secureFilePriv", and implementing network segmentation between Metabase servers and sensitive system resources. Organizations must also conduct thorough audits of their database connection configurations to identify any instances where unsafe parameters may be present in production environments. The vulnerability demonstrates the importance of principle of least privilege in database connectivity and highlights how seemingly benign JDBC driver features can become attack vectors when improperly configured or validated. Regular security updates and patch management processes should be reinforced to prevent similar issues in other components of the data analytics stack, as this vulnerability essentially allows attackers to escalate from database access to full system compromise through careful exploitation of database driver behaviors.

Responsible

GitHub M

Reservation

06/03/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!