CVE-2026-33725

Name of the Vulnerable Software and Affected Versions Metabase Enterprise versions 1.47 through 1.54.21 Metabase Enterprise versions 1.55.0 through 1.55.21 Metabase Enterprise versions 1.56.0 through 1.56.21 Metabase Enterprise versions 1.57.0 through 1.57.15 Metabase Enterprise versions 1.58.0 through 1.58.9 Metabase Enterprise versions 1.59.0 through 1.59.3

Description Authenticated administrators can achieve Remote Code Execution (RCE) and Arbitrary File Read. This occurs via the 'POST /api/ee/serialization/import' endpoint when a crafted serialization archive injects an INIT property into the H2 JDBC specification, allowing the execution of arbitrary SQL during a database synchronization. This issue specifically affects the Enterprise Edition and has been confirmed in Metabase Cloud.

Recommendations Update to version 1.54.22 Update to version 1.55.22 Update to version 1.56.22 Update to version 1.57.16 Update to version 1.58.10 Update to version 1.59.4 As a temporary workaround, disable the serialization import endpoint to prevent access to the affected code paths.