Can you explain this vulnerability to me?

CVE-2026-33725 is a high-severity vulnerability in Metabase Enterprise Edition versions prior to 1.59.x that have serialization functionality. Authenticated administrators can exploit this vulnerability via the POST /api/ee/serialization/import endpoint by submitting a crafted serialization archive.

The crafted archive injects an INIT property into the H2 JDBC specification, which allows execution of arbitrary SQL commands during a database synchronization process. This can lead to Remote Code Execution (RCE) on the underlying system.

The attack involves two steps: first, writing a malicious Clojure payload, and then executing it to run operating system commands. Additionally, attackers can perform arbitrary file reads by using crafted YAML that exfiltrates files accessible by the JVM process through an HTTP callback.

This vulnerability only affects Metabase Enterprise Edition; the open-source version does not contain the vulnerable code paths.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have serious impacts including Remote Code Execution (RCE), which allows an attacker with admin privileges to execute arbitrary commands on the server hosting Metabase Enterprise.

Attackers can also read arbitrary files accessible by the JVM process, potentially exposing sensitive data.

The compromise of confidentiality, integrity, and availability of the system is possible, as indicated by the CVSS score metrics.

If exploited, this could lead to full system compromise, data breaches, and disruption of business intelligence services.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for unauthorized or suspicious POST requests to the /api/ee/serialization/import endpoint on Metabase Enterprise Edition instances.

Since the attack requires authenticated admin access, reviewing access logs for unusual admin activity or unexpected serialization import attempts is recommended.

Specific commands to detect exploitation attempts are not provided in the available resources.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to disable the serialization import endpoint (/api/ee/serialization/import) in your Metabase Enterprise instance to prevent access to the vulnerable code paths.

Additionally, upgrading Metabase Enterprise to one of the patched versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, or 1.59.4 is strongly recommended to fully address the vulnerability.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows authenticated administrators to perform Remote Code Execution (RCE) and Arbitrary File Read attacks, which can lead to unauthorized access to sensitive data and compromise system integrity and availability.

Such unauthorized access and potential data breaches could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive personal and health information, ensuring confidentiality, integrity, and availability of data.

If exploited, this vulnerability could result in exposure or manipulation of protected data, thereby violating regulatory requirements and potentially leading to legal and financial consequences.

Useful 0 Not Useful 0