CVE-2026-22805
Subscription Access Vulnerability in Metabase Prior to
Publication date: 2026-01-12
Last updated on: 2026-04-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| metabase | metabase | to 0.55.13 (exc) |
| metabase | metabase | From 0.56.0 (inc) to 0.56.3 (exc) |
| metabase | metabase | to 1.55.13 (exc) |
| metabase | metabase | From 1.56.0 (inc) to 1.56.3 (exc) |
| metabase | metabase | 0.57.0 |
| metabase | metabase | 1.57.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22805 is a low-severity vulnerability in self-hosted Metabase instances prior to versions 55.13, 56.3, and 57.1. It arises from the 'channel test' endpoint, which allows an attacker with high privileges to exploit the webhook test functionality to send requests to internal local network addresses. This means if Metabase is co-located with other unsecured internal resources and allows users to create subscriptions, an attacker can potentially interact with internal HTTP services running on local IPs by configuring a webhook with a local IP address and sending a test alert. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with high privileges on a Metabase instance to send requests to internal local network services that are otherwise inaccessible. This could lead to unauthorized interaction with internal HTTP services on local IP addresses. However, the impact on confidentiality, integrity, and availability of the Metabase system itself is none, and the impact on confidentiality of subsequent systems is low. The vulnerability requires specific deployment conditions and high privileges to exploit. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Metabase instance allows users to create subscriptions and if it is co-located with other unsecured internal resources. Specifically, you can test the 'channel test' endpoint by configuring a webhook in the Admin panel under Notification channels with a local IP address in the webhook URL and sending a test alert. If the test alert successfully sends requests to internal IP addresses, the vulnerability is present. There are no specific commands provided, but this manual test via the Metabase Admin panel is the suggested detection method. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading your Metabase instance to one of the patched versions 55.13, 56.3, or 57.1. As a workaround, redeploy Metabase in a dedicated subnet with strict outbound port controls to limit exposure to internal network resources. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability has a low severity and requires high privileges to exploit. It allows an attacker to send requests to internal local network addresses if Metabase is co-located with unsecured resources. However, the impact on confidentiality, integrity, and availability of the vulnerable system is none, and the impact on confidentiality of subsequent systems is low. There is no direct indication that this vulnerability leads to data breaches or non-compliance with standards like GDPR or HIPAA. Mitigation involves upgrading to patched versions or isolating Metabase in a dedicated subnet. Therefore, while the vulnerability could potentially expose internal services, it does not directly imply non-compliance with common standards and regulations. [1]