SB2025022494 - Improper access control in Metabase
Published: February 24, 2025 Updated: May 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper access control (CVE-ID: CVE-2025-27141)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in cached questions when serving cached query results to impersonated users. A remote user can run a question that returns cached results to disclose sensitive information.
This issue affects only the Enterprise Edition. User interaction is required because another user must first run the same question so that its results are cached.
Remediation
Install update from vendor's website.