External risk intelligence

Metabase Snowflake Connection Remote Code Execution Via Arbitrary File Write.

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-50148

Metabase is commonly deployed as a web-based business intelligence and analytics platform. These services are frequently exposed to the internet or wide internal networks to allow users to access dashboards, reports, and data visualizations, making the application surface highly reachable in typical deployments.

Remote Code Execution

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in Metabase, an open-source business intelligence tool, could allow an attacker to execute arbitrary code on the server. This is possible by exploiting a flaw in how Metabase configures certain database connections, potentially enabling unauthorized access and modification of system files. The main concern is to confirm if this specific technology is in use and assess any exposure.

  • Flaw allows code execution on Metabase servers.
  • Confirms use and exposure of BI tool.
  • Prioritize verifying relevance and potential impact.

Attack Path

How an attacker could exploit the issue

An attacker can achieve remote code execution by tricking a Metabase user into configuring a database connection to a malicious server. This leverages a flaw in the Snowflake JDBC driver to write files onto the Metabase host, eventually leading to the execution of arbitrary code within the Metabase process.

  • Network access required.
  • Malicious database connection configuration.
  • Remote code execution.

Live Threat

Current exploitation, exposure, and threat context

A Metabase user with database connection privileges could execute arbitrary code on the server by configuring a malicious Snowflake connection. This could allow an attacker to replace Metabase's database driver files, leading to the execution of arbitrary code within the Metabase process when the driver is next used.

  • Metabase server code execution.
  • Malicious database connection configuration.
  • System compromise and data access.

Operational Fix

Recommended remediation, mitigation, and detection steps

Real-world responsibility for this vulnerability likely falls to the application owners responsible for the Metabase instances and potentially platform or infrastructure teams managing the underlying server. The first practical move is to identify all Metabase deployments, confirm their reachability and business criticality, and then assign ownership for remediation to the accountable party before planning a coordinated update.

  • Application owners should own the issue.
  • Verify external reachability and business criticality.
  • Plan and execute controlled upgrades.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Metabase and how is it used?

Metabase is an open-source business intelligence and analytics platform. Organizations use it to create interactive dashboards, visualize data, and perform embedded analytics. It is typically hosted on a server where users connect various databases to generate reports and share insights across teams.

What is the vulnerability in CVE-2026-50148?

This vulnerability is classified as CWE-73: External Control of File Name or Path. It occurs because of a flaw in the Snowflake JDBC driver used by Metabase. An attacker can exploit this to write arbitrary files onto the host server, which can replace existing database driver files. When these replaced files are loaded, they execute as code within the Metabase process.

How can an attacker trigger this vulnerability?

An attacker needs to trick a user who has permissions to add or edit database connections into configuring a Snowflake connection to an attacker-controlled server. Simply having Metabase installed does not trigger the flaw; it requires the specific action of misconfiguring a database connection to point to a malicious source.

Is my Metabase instance at risk?

According to Halo Surface Signal, Metabase is frequently exposed to the internet or wide internal networks to facilitate report sharing, making it a highly reachable target. If your instance is accessible via the network and allows users to manage database connections, you should prioritize investigating this vulnerability.

How do I address CVE-2026-50148?

Your first step is to identify all active Metabase deployments in your environment and determine who owns them. Once identified, verify if you are running an affected version. If so, coordinate an upgrade to the patched versions—1.54.24, 1.55.24, 1.56.25, 1.57.19, 1.58.14, 1.59.10, or 1.60.4—to resolve the underlying driver issue.

References