Security researchers have published a working Proof of Concept (PoC) exploit for a critical vulnerability in Metabase Enterprise.
Tracked as CVE-2026-33725, this security flaw allows attackers to achieve Remote Code Execution (RCE) and read arbitrary files on targeted systems.
The availability of a public exploit script significantly increases the risk for organizations running unpatched instances of the popular data analytics platform.
Understanding the Vulnerability
The vulnerability stems from a weakness in Metabase’s handling of Enterprise Edition (EE) serialization imports.
Specifically, it involves an H2 JDBC INIT injection flaw. Think of it like slipping a forged master key into a building’s security system. At the same time, it is busy importing a list of new employees.
When Metabase processes a maliciously crafted import file, it triggers arbitrary database commands. This ultimately gives an attacker the ability to run system-level code or access sensitive files stored on the host server.
Remote Code Execution is widely considered one of the most severe types of vulnerabilities because it grants unauthorized users complete control over the compromised environment.
Affected Metabase Versions
Organizations using Metabase Enterprise must check their current software version immediately. The vulnerability impacts several specific release branches.
The following Enterprise versions are vulnerable to this exploit:
- Versions 1.47.0 through 1.54.21.
- Versions 1.55.0 through 1.55.21.
- Versions 1.56.0 through 1.56.21.
- Versions 1.57.0 through 1.57.15.
- Versions 1.58.0 through 1.58.9.
- Versions 1.59.0 through 1.59.3.
The Exploit Release
The Python-based exploit was recently published to GitHub by Diego Tellaroli, a security researcher associated with Hakai Security.
The repository includes a script that automates the attack chain required to exploit CVE-2026-33725.
While the tool carries a strict educational and research disclaimer, its public availability means threat actors can easily download and weaponize the code for malicious campaigns.
Hakai Security and its QuimeraX Intelligence platform often highlight these findings to encourage vendors and administrators to expedite remediation.
Cyber threat intelligence platforms monitor these exact types of public disclosures to alert clients before active exploitation begins in the wild.
Administrators must prioritize patching this vulnerability immediately. Since the exploit relies on a flaw in the import functionality, updating Metabase to the latest secure releases (such as 1.59.4, 1.58.10, or 1.57.16) neutralizes the threat.
If immediate patching is not possible, organizations should restrict network access to the Metabase administration panel and closely monitor system logs for suspicious serialization import requests.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
