Metabase vulnerable to RCE and Arbitrary File Read via H2 JDBC INIT Injection in EE Serialization Import

Description

A vulnerability labeled as problematic has been found in Metabase up to 1.59.3. This affects an unknown function of the file /api/ee/serialization/import of the component Serialization Import Endpoint. The manipulation results in deserialization. This vulnerability is known as CVE-2026-33725. It is possible to launch the attack remotely. No exploit is available. The affected component should be upgraded.

Affected Products

Vendor	Product	Versions
metaba	metaba	< 1.54.22, >= 1.55.0, < 1.55.22, >= 1.56.0, < 1.56.22, >= 1.57.0, < 1.57.16, >= 1.58.0, < 1.58.10, >= 1.59.0, < 1.59.4, 1.59.3

References

https://github.com/metabase/metabase/security/advisories/GHSA-fppj-vcm3-w229(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB3h ago

CVE-2026-33725 | Metabase up to 1.59.3 Serialization Import Endpoint import deserialization (GHSA-fppj-vcm3-w229)

→ No new info (linked only)

CVSS 3.17.2 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-502

Published3/27/2026

Last enriched1h agov3

Trending Score49

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Version History

Last enriched 1h ago

v3Tier C1h ago

Updated vendor and product names, added a new description, and corrected exploit availability to false.

description

via VulDB

v2Tier C3h ago

Updated affected versions to include 1.59.3, changed severity to CRITICAL, and noted that no exploit is available.

affectedVersionsseverityactivelyExploited

via VulDB

v17h ago

Initial creation