Live Exposure Defense: From CVE to Confirmed Exposure in 12 Hours – See more

New CVE Detected

CVE-2026-50148 – RCE via Snowflake JDBC Arbitrary File Write – Metabase 1.54.0 through 1.60.3

Be the first to know when new zero-days emerge:

Summary

CVE-2026-50148 is a critical Remote Code Execution vulnerability in Metabase, an open-source business intelligence and embedded analytics platform, affecting all releases from version 1.54.0 up to (but not including) the patched builds. The flaw originates from a vulnerability in the Snowflake JDBC driver that allows arbitrary file writes anywhere on the host filesystem: by configuring a Snowflake database connection pointing to an attacker-controlled server, a user with database-connection management rights can cause Metabase to overwrite one of its own on-disk driver files, which is subsequently loaded and executed inside the Metabase server process. The vulnerability carries a maximum CVSS v3.1 score of 10.0 (Critical) and was patched across seven concurrent releases on July 15, 2026.

Technical details

  • Root cause: A flaw in the Snowflake JDBC driver (CWE-73: External Control of File Name or Path) permits the driver to write files to arbitrary filesystem paths on the Metabase host when directed to connect to an attacker-controlled server.
  • Trigger condition: A Metabase user holding permission to add or edit database connections configures a Snowflake connection that points to an attacker-controlled endpoint; no additional steps or victim interaction are required after that configuration is saved.
  • Attack vector: Network-reachable Metabase instance; the CVSS vector scores Privileges Required as None (PR:N) and User Interaction as None (UI:N), with Attack Complexity Low (AC:L) and Scope Changed (S:C).
  • Impact: The attacker replaces one of Metabase’s bundled database driver files on disk; when the Metabase process subsequently loads that file, the attacker’s payload executes with the full privileges of the Metabase server process, resulting in complete Remote Code Execution. All three impact dimensions — confidentiality, integrity, and availability — are rated High.

Affected software

  • Metabase 1.54.0 through 1.54.23
  • Metabase 1.55.0 through 1.55.23
  • Metabase 1.56.0 through 1.56.24
  • Metabase 1.57.0 through 1.57.18
  • Metabase 1.58.0 through 1.58.13
  • Metabase 1.59.0 through 1.59.9
  • Metabase 1.60.0 through 1.60.3

Severity

CVSS v3.1 base score: 10.0 (Critical)
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Mitigation and recommended actions

  • Immediate: Upgrade to one of the patched releases — 1.54.24, 1.55.24, 1.56.25, 1.57.19, 1.58.14, 1.59.10, or 1.60.4. The fix resolves the vulnerability by bundling first-party database drivers directly into the application, eliminating the on-disk driver replacement attack surface entirely.
  • If immediate patching is not possible: Restrict database-connection management permissions to the smallest possible set of trusted administrators, and apply network-level controls to limit access to the Metabase instance from untrusted sources.

IONIX Status

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

References

Are you exposed?

Get a free report of your organization’s exposure to this CVE and threat

How IONIX’s External Exposure Management Platform Detects and Validates
Zero-Days to Shrink MTTR

1

Map your entire attack surface (continously)

IONIX uses multi-factor discovery methods, including DNS analysis, certificate mapping, metadata inspection, and more, to automatically map every internet-facing asset across your environment. This includes cloud instances, third-party platforms, shadow IT, and even forgotten infrastructure that traditional tools miss.

2

Monitor for new CVEs

Dozens of threat intel feeds using agentic technology are continuously analyzed to detect the appearance of proof-of-concept code, exploit kits, and indicators of active targeting. IONIX goes further by applying AI to proactively evaluate whether emerging vulnerabilities are likely to be exploited, even before PoCs go public.

3

Identify Potential External Exposures

Not all CVEs matter. IONIX filters vulnerabilities by asking attacker-centric questions: Can it be reached from the internet? Does it require authentication? Is it being exploited in the wild? This dramatically reduces noise and focuses teams on threats that can actually be weaponized.

4

Create Safe, Scalable Exploit Validations

IONIX transforms real-world PoCs into safe, non-intrusive test payloads that can be run in production environments without disruption. These simulations are precisely targeted to the systems that are vulnerable, ensuring rapid validation without unnecessary load.

5

Execute Exploit Validations

By combining context about software stack, versioning, exposure status, and reachability, IONIX ensures that only the right payloads are executed against the right assets, maximizing efficiency and minimizing risk.

6

Drive Fast and Actionable Remediation

Results are routed through integrations with ticketing, SOAR, and SIEM tools. Issues are written in plain language, bundled into remediation clusters, and prioritized based on asset criticality, exploitability, and blast radius. This shortens mean time to remediation (MTTR) and empowers teams to act with confidence.

Are you exposed?

Get a free report of your organization’s exposure to this CVE and threat

Subscribe to Threat Center RSS

Copy/paste the link below into your preferred RSS reader or follow these instructions to subscribe to Slack alerts.

Get Real-Time CVE Alerts to Your Email

Be the first to know when new zero-days emerge