CVE-2025-27141

Name of the Vulnerable Software and Affected Versions Metabase Enterprise Edition versions 1.47.0 through 1.49.x Metabase Enterprise Edition versions 1.50.0 through 1.50.35 Metabase Enterprise Edition versions 1.51.0 through 1.51.13 Metabase Enterprise Edition versions 1.52.0 through 1.52.10

Description The issue allows users with impersonation permissions to see results of cached questions, even if their permissions don’t allow them to see the data. This occurs when an impersonated user runs a question that was previously run by another user, resulting in the impersonated user seeing the same results as the previous user. These cached results may include data the impersonated user should not have access to.

Recommendations For Metabase Enterprise Edition versions 1.47.0 through 1.49.x, upgrade to a major version with an available fix. For Metabase Enterprise Edition versions 1.50.0 through 1.50.35, upgrade to version 1.50.36 or later. For Metabase Enterprise Edition versions 1.51.0 through 1.51.13, upgrade to version 1.51.14 or later. For Metabase Enterprise Edition versions 1.52.0 through 1.52.10, upgrade to version 1.52.11 or later. As a temporary workaround, consider disabling question caching to mitigate the risk of exploitation.