High severity8.6NVD Advisory· Published Jan 12, 2026· Updated Apr 10, 2026

CVE-2026-22805

Description

Metabase is an open-source data analytics platform. Prior to 55.13, 56.3, and 57.1, self-hosted Metabase instances that allow users to create subscriptions could be potentially impacted if their Metabase is colocated with other unsecured resources. This vulnerability is fixed in 55.13, 56.3, and 57.1.

Affected products

Metabase/Metabase4 versions
cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*+ 3 more
- cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*range: <0.55.13
- cpe:2.3:a:metabase:metabase:0.57.0:beta:*:*:-:*:*:*
- cpe:2.3:a:metabase:metabase:1.57.0:beta:*:*:enterprise:*:*:*
- cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*range: <1.55.13

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/metabase/metabase/security/advisories/GHSA-2wgg-7r2p-cmqxnvdMitigationVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.559
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000