What is the severity of CVE-2025-27141?

CVE-2025-27141 is classified as a high severity vulnerability due to its potential impact on user data and access controls.

How do I fix CVE-2025-27141?

To mitigate CVE-2025-27141, upgrade Metabase Enterprise Edition to version 1.50.36, 1.51.14, 1.52.11, or 1.53.2 or later.

Who is affected by CVE-2025-27141?

Users of Metabase Enterprise Edition versions 1.47.0 through 1.50.36, and specific versions between 1.51.0 and 1.53.2 are affected by CVE-2025-27141.

What type of vulnerability is CVE-2025-27141?

CVE-2025-27141 is an impersonation vulnerability that allows users with impersonation permissions to potentially exploit the system.

What does CVE-2025-27141 allow attackers to do?

CVE-2025-27141 may allow attackers with certain permissions to impersonate other users and gain unauthorized access to sensitive data.

Vulnerability/
CVE-2025-27141

medium

6.5

CWE

732

EPSS

0.031%

24/2/2025

28/2/2025

CVE-2025-27141: Metabase Enterprise Edition allows cached questions to leak data to impersonated users

First published: Mon Feb 24 2025(Updated: )

Metabase Enterprise Edition is the enterprise version of Metabase business intelligence and data analytics software. Starting in version 1.47.0 and prior to versions 1.50.36, 1.51.14, 1.52.11, and 1.53.2 of Metabase Enterprise Edition, users with impersonation permissions may be able to see results of cached questions, even if their permissions don’t allow them to see the data. If some user runs a question which gets cached, and then an impersonated user runs that question, then the impersonated user sees the same results as the previous user. These cached results may include data the impersonated user should not have access to. This vulnerability only impacts the Enterprise Edition of Metabase and not the Open Source Edition. Versions 1.53.2, 1.52.11, 1.51.14, and 1.50.36 contains a patch. Versions on the 1.49.X, 1.48.X, and 1.47.X branches are vulnerable but do not have a patch available, so users should upgrade to a major version with an available fix. Disabling question caching is a workaround for this issue.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Metabase	>=1.47.0<1.50.36
Metabase	>=1.51.0<1.51.14
Metabase	>=1.52.0<1.52.11
Metabase	>=1.53.0<1.53.2
Metabase	>1.47.0<1.50.36>=1.51.14<1.53.2

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2025-27141?
CVE-2025-27141 is classified as a high severity vulnerability due to its potential impact on user data and access controls.
How do I fix CVE-2025-27141?
To mitigate CVE-2025-27141, upgrade Metabase Enterprise Edition to version 1.50.36, 1.51.14, 1.52.11, or 1.53.2 or later.
Who is affected by CVE-2025-27141?
Users of Metabase Enterprise Edition versions 1.47.0 through 1.50.36, and specific versions between 1.51.0 and 1.53.2 are affected by CVE-2025-27141.
What type of vulnerability is CVE-2025-27141?
CVE-2025-27141 is an impersonation vulnerability that allows users with impersonation permissions to potentially exploit the system.
What does CVE-2025-27141 allow attackers to do?
CVE-2025-27141 may allow attackers with certain permissions to impersonate other users and gain unauthorized access to sensitive data.

agent/author
agent/first-publish-date
agent/weakness
agent/title
agent/references
agent/description
agent/type
agent/source
agent/severity
collector/mitre-cve
source/MITRE
agent/softwarecombine
agent/tags
agent/event
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/last-modified-date
collector/epss-latest
source/FIRST
agent/epss
agent/guess-ai
agent/software-canonical-lookup-request
vendor/metabase
canonical/metabase
version/metabase/1.47.0
version/metabase/1.51.0
version/metabase/1.52.0
version/metabase/1.53.0