Critical RCE Vulnerability in Metabase Enterprise Exploited in the Wild Security researchers have disclosed a severe remote code execution (RCE) vulnerability in Metabase Enterprise, tracked as CVE-2026-33725, after a proof-of-concept (PoC) exploit was publicly released. The flaw, stemming from an H2 JDBC INIT injection weakness during serialization imports, allows unauthenticated attackers to execute arbitrary code or access sensitive files on vulnerable systems. The vulnerability affects multiple Metabase Enterprise versions, including: - 1.47.0–1.54.21 - 1.55.0–1.55.21 - 1.56.0–1.56.21 - 1.57.0–1.57.15 - 1.58.0–1.58.9 - 1.59.0–1.59.3 A Python-based PoC exploit, published by Hakai Security researcher Diego Tellaroli, automates the attack chain, increasing the risk of widespread exploitation. While the tool includes an educational disclaimer, its availability lowers the barrier for threat actors to launch automated attacks against exposed instances. Metabase has released patched versions (1.59.4, 1.58.10, 1.57.16) to mitigate the flaw. Organizations unable to patch immediately are advised to restrict access to the Metabase admin interface, limit network exposure, and monitor logs for suspicious activity. Unpatched systems risk full compromise, data breaches, and potential lateral movement within enterprise networks.