Metabase Subscription Vulnerability Exposes Self-Hosted Instances
CVE Notify is flagging a critical vulnerability, CVE-2026-22805, affecting self-hosted instances of Metabase, the popular open-source data analytics platform. According to their report, prior to versions 55.13, 56.3, and 57.1, instances allowing users to create subscriptions could be at risk. The specific danger arises if these Metabase deployments are running alongside other unsecured resources on the same infrastructure.
This means an attacker could potentially leverage the subscription feature to gain unauthorized access or pivot to other sensitive data if the surrounding environment isn’t properly locked down. While the vulnerability is patched in the aforementioned versions, the advisory highlights a common pitfall in self-hosted environments: the assumption that securing the primary application is sufficient without considering the broader attack surface.
CVE Notify emphasizes that updating to Metabase versions 55.13, 56.3, or 57.1 is the fix. This incident serves as a stark reminder that even seemingly isolated features can become vectors for compromise when combined with lax security practices on adjacent systems.
What This Means For You
- Security teams should audit self-hosted Metabase deployments, specifically verifying that instances allowing user subscriptions are not co-located with or able to access other unsecured resources on the network.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-22805 | Misconfiguration | Metabase versions prior to 55.13, 56.3, and 57.1. Vulnerability occurs when Metabase is colocated with other unsecured resources and users can create subscriptions. |