SB2025022494 - Improper access control in Metabase



SB2025022494 - Improper access control in Metabase

Published: February 24, 2025 Updated: May 5, 2026

Security Bulletin ID SB2025022494
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Improper access control (CVE-ID: CVE-2025-27141)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in cached questions when serving cached query results to impersonated users. A remote user can run a question that returns cached results to disclose sensitive information.

This issue affects only the Enterprise Edition. User interaction is required because another user must first run the same question so that its results are cached.


Remediation

Install update from vendor's website.