CVE-2026-22805 Overview
CVE-2026-22805 is a Server-Side Request Forgery (SSRF) vulnerability affecting Metabase, an open-source data analytics platform. Self-hosted Metabase instances that allow users to create subscriptions could be potentially impacted if their Metabase deployment is colocated with other unsecured resources. This vulnerability enables authenticated users with subscription creation privileges to potentially access internal resources that should not be externally accessible.
Critical Impact
Authenticated users with subscription privileges may leverage SSRF to access colocated unsecured internal resources on self-hosted Metabase deployments.
Affected Products
- Metabase versions prior to 55.13
- Metabase versions prior to 56.3
- Metabase versions prior to 57.1
Discovery Timeline
- 2026-01-12 - CVE CVE-2026-22805 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2026-22805
Vulnerability Analysis
This vulnerability is classified as CWE-918 (Server-Side Request Forgery), which occurs when a web application fetches a remote resource without properly validating the user-supplied URL. In the context of Metabase, the subscription feature processes user-controlled input that can be manipulated to make requests to internal network resources.
The attack requires network access and high privileges (subscription creation rights), along with specific environmental conditions where the Metabase instance is colocated with other unsecured internal resources. The primary impact is limited confidentiality exposure in downstream systems rather than the Metabase instance itself.
Root Cause
The root cause lies in insufficient URL validation within the subscription functionality of Metabase. When processing subscription-related requests, the application fails to adequately restrict or sanitize destination URLs, allowing authenticated users to craft requests that target internal network endpoints. This is particularly concerning in environments where Metabase shares network access with other internal services that lack proper authentication controls.
Attack Vector
The attack vector is network-based, requiring an authenticated attacker with high privileges (ability to create subscriptions). The attacker must have:
- Valid credentials to a self-hosted Metabase instance
- Permission to create subscriptions within the platform
- Knowledge of or ability to enumerate internal resources colocated with the Metabase deployment
The attacker crafts malicious subscription configurations that cause the Metabase server to make requests to internal endpoints, potentially accessing sensitive data from unsecured colocated resources. The complexity of successful exploitation is high due to the specific environmental requirements and privilege levels needed.
Detection Methods for CVE-2026-22805
Indicators of Compromise
- Unusual outbound requests from the Metabase server to internal IP ranges or localhost addresses
- Subscription configurations containing internal URLs, private IP addresses, or cloud metadata endpoints (e.g., 169.254.169.254)
- Anomalous network traffic patterns from the Metabase application server to internal services
Detection Strategies
- Monitor Metabase application logs for subscription creation activities with suspicious URL patterns
- Implement network monitoring to detect SSRF-style request patterns from the Metabase server
- Review audit logs for users creating or modifying subscriptions with unusual frequency or configurations
- Deploy web application firewall rules to detect and block SSRF attempt patterns
Monitoring Recommendations
- Enable detailed logging for subscription-related API endpoints in Metabase
- Configure network egress monitoring on Metabase servers to alert on requests to internal network ranges
- Implement alerting for subscription creation events targeting non-standard or internal URLs
How to Mitigate CVE-2026-22805
Immediate Actions Required
- Upgrade Metabase to version 55.13, 56.3, or 57.1 or later immediately
- Audit existing subscriptions for potentially malicious URL configurations
- Review user permissions and restrict subscription creation privileges to trusted users only
- Implement network segmentation to isolate Metabase from sensitive internal resources
Patch Information
Metabase has released security patches addressing this vulnerability in versions 55.13, 56.3, and 57.1. Organizations should upgrade to the appropriate patched version based on their current deployment. For detailed patch information and upgrade instructions, refer to the GitHub Security Advisory.
Workarounds
- Restrict subscription creation privileges to only essential, trusted users
- Implement network segmentation to prevent Metabase from accessing sensitive internal resources
- Deploy egress filtering rules on the Metabase server to block requests to internal IP ranges
- Consider temporarily disabling the subscription feature if not critical to operations until patching is complete
# Network segmentation example - restrict Metabase outbound access
# Add iptables rules to block internal network access from Metabase server
iptables -A OUTPUT -m owner --uid-owner metabase -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner metabase -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -m owner --uid-owner metabase -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -m owner --uid-owner metabase -d 169.254.169.254 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
