Executive Summary

CVE-2026-22805 is a low-severity vulnerability in self-hosted Metabase instances prior to versions 55.13, 56.3, and 57.1. It arises from the 'channel test' endpoint, which allows an attacker with high privileges to exploit the webhook test functionality to send requests to internal local network addresses. This means if Metabase is co-located with other unsecured internal resources and allows users to create subscriptions, an attacker can potentially interact with internal HTTP services running on local IPs by configuring a webhook with a local IP address and sending a test alert. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker with high privileges on a Metabase instance to send requests to internal local network services that are otherwise inaccessible. This could lead to unauthorized interaction with internal HTTP services on local IP addresses. However, the impact on confidentiality, integrity, and availability of the Metabase system itself is none, and the impact on confidentiality of subsequent systems is low. The vulnerability requires specific deployment conditions and high privileges to exploit. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your Metabase instance allows users to create subscriptions and if it is co-located with other unsecured internal resources. Specifically, you can test the 'channel test' endpoint by configuring a webhook in the Admin panel under Notification channels with a local IP address in the webhook URL and sending a test alert. If the test alert successfully sends requests to internal IP addresses, the vulnerability is present. There are no specific commands provided, but this manual test via the Metabase Admin panel is the suggested detection method. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading your Metabase instance to one of the patched versions 55.13, 56.3, or 57.1. As a workaround, redeploy Metabase in a dedicated subnet with strict outbound port controls to limit exposure to internal network resources. [1]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability has a low severity and requires high privileges to exploit. It allows an attacker to send requests to internal local network addresses if Metabase is co-located with unsecured resources. However, the impact on confidentiality, integrity, and availability of the vulnerable system is none, and the impact on confidentiality of subsequent systems is low. There is no direct indication that this vulnerability leads to data breaches or non-compliance with standards like GDPR or HIPAA. Mitigation involves upgrading to patched versions or isolating Metabase in a dedicated subnet. Therefore, while the vulnerability could potentially expose internal services, it does not directly imply non-compliance with common standards and regulations. [1]

Useful 0 Not Useful 0