CVE-2025-27141
📋 TL;DR
In Metabase Enterprise Edition, users with impersonation permissions can access cached query results from other users, potentially viewing data they shouldn't have permission to see. This affects Enterprise Edition versions 1.47.0 through 1.53.1, excluding patched versions. Only users with impersonation permissions can exploit this vulnerability.
💻 Affected Systems
- Metabase Enterprise Edition
📦 What is this software?
Metabase by Metabase
Metabase by Metabase
Metabase by Metabase
Metabase by Metabase
⚠️ Risk & Real-World Impact
Worst Case
Impersonated users access sensitive cached data from privileged users, leading to data breach of confidential business intelligence or PII.
Likely Case
Impersonated users inadvertently see cached query results from other users, potentially accessing data beyond their role-based permissions.
If Mitigated
With proper access controls and monitoring, impact is limited to potential minor data exposure within authorized user groups.
🎯 Exploit Status
Exploitation requires valid user credentials with impersonation permissions. Attack involves running cached queries that were previously executed by other users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.53.2, 1.52.11, 1.51.14, 1.50.36
Vendor Advisory: https://github.com/metabase/metabase/security/advisories/GHSA-6cc4-h534-xh5p
Restart Required: Yes
Instructions:
1. Backup your Metabase instance and database. 2. Upgrade to one of the patched versions: 1.53.2, 1.52.11, 1.51.14, or 1.50.36. 3. Restart the Metabase service. 4. Verify the upgrade was successful.
🔧 Temporary Workarounds
Disable Question Caching
allDisable caching of query results to prevent data exposure through cached results.
Set environment variable: MB_QUESTION_CACHING_ENABLED=false
Or configure in Metabase admin settings: Admin > Settings > Caching > Disable question caching
🧯 If You Can't Patch
- Restrict impersonation permissions to only essential users
- Implement strict access controls and monitor user query activities
🔍 How to Verify
Check if Vulnerable:
Check Metabase version via Admin > Troubleshooting > Logs, or run: java -jar metabase.jar versionCheck Version:
java -jar metabase.jar versionVerify Fix Applied:
Verify version is 1.53.2, 1.52.11, 1.51.14, or 1.50.36. Test that impersonated users cannot access cached results from other users.📡 Detection & Monitoring
Log Indicators:
- Unusual query patterns from impersonated users
- Access to cached queries by unauthorized users
- Multiple users accessing same cached results
Network Indicators:
- Increased query traffic from impersonation-enabled accounts
- Patterns of cached query access
SIEM Query:
source="metabase" AND (event="query_cache_hit" OR event="impersonation_access") AND user.role="impersonator"