CVE-2026-33725— Metabase 代码问题漏洞

Metabase vulnerable to RCE and Arbitrary File Read via H2 JDBC INIT Injection in EE Serialization Import

Metabase is an open source business intelligence and embedded analytics tool. In Metabase Enterprise prior to versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4, authenticated admins on Metabase Enterprise Edition can achieve Remote Code Execution (RCE) and Arbitrary File Read via the `POST /api/ee/serialization/import` endpoint. A crafted serialization archive injects an `INIT` property into the H2 JDBC spec, which can execute arbitrary SQL during a database sync. We confirmed this was possible on Metabase Cloud. This only affects Metabase Enterprise. Metabase OSS lacks the affected codepaths. All versions of Metabase Enterprise that have serialization, which dates back to at least version 1.47, are affected. Metabase Enterprise versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4 patch the issue. As a workaround, disable the serialization import endpoint in their Metabase instance to prevent access to the vulnerable codepaths.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

可信数据的反序列化

Metabase 代码问题漏洞

Metabase是美国Metabase公司的一个开源数据分析平台。 Metabase Enterprise 1.54.22之前版本、1.55.22之前版本、1.56.22之前版本、1.57.16之前版本、1.58.10之前版本和1.59.4之前版本存在代码问题漏洞，该漏洞源于序列化导入端点存在注入，可能导致经过身份验证的管理员实现远程代码执行和任意文件读取。

N/A

N/A