Main Vulnerability Database Vulnerabilities #VU130155

Improper access control in Metabase - CVE-2025-27141

Published: February 24, 2025 / Updated: May 5, 2026

Vulnerability identifier: #VU130155

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-27141

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Metabase

Affected software:
Metabase

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in cached questions when serving cached query results to impersonated users. A remote user can run a question that returns cached results to disclose sensitive information.

This issue affects only the Enterprise Edition. User interaction is required because another user must first run the same question so that its results are cached.

How to mitigate CVE-2025-27141

Install security update from vendor's website.

Sources

https://github.com/metabase/metabase/security/advisories/GHSA-6cc4-h534-xh5p

Improper access control in Metabase - CVE-2025-27141

Detailed vulnerability description

How to mitigate CVE-2025-27141

Sources

Please verify you're human