CVE-2026-50148 PUBLISHED

Metabase: Remote Code Execution via Snowflake JDBC Driver Arbitrary File Write

Assigner: GitHub_M
Reserved: 03.06.2026 Published: 15.07.2026 Updated: 15.07.2026

Metabase is an open-source business intelligence and embedded analytics tool. From 1.54.0 until 1.54.24, 1.55.24, 1.56.25, 1.57.19, 1.58.14, 1.59.10, and 1.60.4, a Metabase user with permission to add or edit a database connection can achieve remote code execution on the Metabase server by configuring a Snowflake connection to an attacker-controlled server, because a flaw in the Snowflake JDBC driver can write arbitrary files anywhere on the Metabase host, including replacing one of Metabase's own database driver files that later executes inside the Metabase process. This issue is fixed in versions 1.54.24, 1.55.24, 1.56.25, 1.57.19, 1.58.14, 1.59.10, and 1.60.4.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 10

Product Status

Vendor metabase
Product metabase
Versions
  • Version >= 1.54.0, < 1.54.24 is affected
  • Version >= 1.55.0, < 1.55.24 is affected
  • Version >= 1.56.0, < 1.56.25 is affected
  • Version >= 1.57.0, < 1.57.19 is affected
  • Version >= 1.58.0, < 1.58.14 is affected
  • Version >= 1.59.0, < 1.59.10 is affected
  • Version >= 1.60.0, < 1.60.4 is affected

References

Problem Types

  • CWE-73: External Control of File Name or Path CWE