CVE-2026-50148 in Metabaseinfo

Summary

by MITRE • 07/15/2026

Metabase is an open-source business intelligence and embedded analytics tool. From 1.54.0 until 1.54.24, 1.55.24, 1.56.25, 1.57.19, 1.58.14, 1.59.10, and 1.60.4, a Metabase user with permission to add or edit a database connection can achieve remote code execution on the Metabase server by configuring a Snowflake connection to an attacker-controlled server, because a flaw in the Snowflake JDBC driver can write arbitrary files anywhere on the Metabase host, including replacing one of Metabase's own database driver files that later executes inside the Metabase process. This issue is fixed in versions 1.54.24, 1.55.24, 1.56.25, 1.57.19, 1.58.14, 1.59.10, and 1.60.4.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

This vulnerability represents a critical remote code execution flaw in Metabase business intelligence platform that stems from improper input validation within the Snowflake database connection configuration process. The security issue exists due to a flaw in the Snowflake JDBC driver that allows arbitrary file writing capabilities on the host system, enabling attackers with database connection permissions to escalate privileges and execute malicious code directly on the Metabase server. This vulnerability affects multiple version ranges including 1.54.0 through 1.54.23, 1.55.0 through 1.55.23, 1.56.0 through 1.56.24, 1.57.0 through 1.57.18, 1.58.0 through 1.58.13, 1.59.0 through 1.59.9, and 1.60.0 through 1.60.3, making it a widespread concern for organizations using affected Metabase deployments.

The technical exploitation mechanism relies on the Snowflake JDBC driver's insufficient validation of connection parameters, specifically allowing attackers to craft malicious configuration settings that result in arbitrary file system writes. When an authenticated user configures a Snowflake connection pointing to an attacker-controlled server, the flawed driver component can write files to any location within the Metabase host filesystem. This capability becomes particularly dangerous when combined with the ability to replace critical database driver files that are subsequently executed within the Metabase process context, effectively enabling attackers to achieve persistent code execution with the privileges of the Metabase service account.

The operational impact of this vulnerability is severe and multifaceted, as it transforms a limited database connection permission into full system compromise. Attackers can leverage this flaw to execute arbitrary commands on the server, potentially leading to data exfiltration, lateral movement within networks, or complete system takeover. The vulnerability particularly affects organizations that rely on Metabase for business intelligence operations and may have users with database configuration permissions, as these individuals can inadvertently or maliciously trigger the exploit without requiring additional privileges. Additionally, the attack surface is broadened by the fact that Snowflake connections are commonly configured in enterprise environments, making this vulnerability particularly relevant for organizations using cloud data warehouses.

This vulnerability aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), as it involves inadequate path validation during database connection setup and improper handling of external inputs that can result in arbitrary file operations. From an attack framework perspective, this vulnerability maps to ATT&CK technique T1059.007 (Command and Scripting Interpreter: Python) and T1021.004 (Remote Services: SSH) through the potential for command execution and remote access capabilities that can be achieved through the file writing functionality. Organizations should implement immediate mitigations including updating to the fixed versions, restricting database connection permissions to trusted users only, and monitoring for unauthorized configuration changes in Metabase deployments. The fix addresses the root cause by implementing proper input validation and sanitization within the Snowflake JDBC driver interaction process, preventing arbitrary file system writes that could lead to privilege escalation or code execution attacks.

The vulnerability demonstrates how third-party library flaws can create cascading security issues in application platforms, particularly when applications fail to adequately validate or sanitize inputs from external components. Organizations should conduct thorough security assessments of their Metabase deployments and ensure all database connection configurations are properly reviewed and secured. Regular security updates and vulnerability scanning processes become critical for maintaining protection against similar issues that may arise from dependencies within business intelligence and analytics platforms.

Responsible

GitHub M

Reservation

06/03/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!