Summary
CVE-2026-50148 is a critical Remote Code Execution vulnerability in Metabase, an open-source business intelligence and embedded analytics platform, affecting all releases from version 1.54.0 up to (but not including) the patched builds. The flaw originates from a vulnerability in the Snowflake JDBC driver that allows arbitrary file writes anywhere on the host filesystem: by configuring a Snowflake database connection pointing to an attacker-controlled server, a user with database-connection management rights can cause Metabase to overwrite one of its own on-disk driver files, which is subsequently loaded and executed inside the Metabase server process. The vulnerability carries a maximum CVSS v3.1 score of 10.0 (Critical) and was patched across seven concurrent releases on July 15, 2026.
Technical details
- Root cause: A flaw in the Snowflake JDBC driver (CWE-73: External Control of File Name or Path) permits the driver to write files to arbitrary filesystem paths on the Metabase host when directed to connect to an attacker-controlled server.
- Trigger condition: A Metabase user holding permission to add or edit database connections configures a Snowflake connection that points to an attacker-controlled endpoint; no additional steps or victim interaction are required after that configuration is saved.
- Attack vector: Network-reachable Metabase instance; the CVSS vector scores Privileges Required as None (PR:N) and User Interaction as None (UI:N), with Attack Complexity Low (AC:L) and Scope Changed (S:C).
- Impact: The attacker replaces one of Metabase’s bundled database driver files on disk; when the Metabase process subsequently loads that file, the attacker’s payload executes with the full privileges of the Metabase server process, resulting in complete Remote Code Execution. All three impact dimensions — confidentiality, integrity, and availability — are rated High.
Affected software
- Metabase 1.54.0 through 1.54.23
- Metabase 1.55.0 through 1.55.23
- Metabase 1.56.0 through 1.56.24
- Metabase 1.57.0 through 1.57.18
- Metabase 1.58.0 through 1.58.13
- Metabase 1.59.0 through 1.59.9
- Metabase 1.60.0 through 1.60.3
Severity
CVSS v3.1 base score: 10.0 (Critical)
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Mitigation and recommended actions
- Immediate: Upgrade to one of the patched releases — 1.54.24, 1.55.24, 1.56.25, 1.57.19, 1.58.14, 1.59.10, or 1.60.4. The fix resolves the vulnerability by bundling first-party database drivers directly into the application, eliminating the on-disk driver replacement attack surface entirely.
- If immediate patching is not possible: Restrict database-connection management permissions to the smallest possible set of trusted administrators, and apply network-level controls to limit access to the Metabase instance from untrusted sources.
IONIX Status
The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

