Metabase Enterprise Edition Cached Data Exposure Vulnerability for Impersonated Users

A vulnerability exists in Metabase Enterprise Edition versions 1.47.0 prior to 1.50.36, 1.51.14, 1.52.11, and 1.53.2, allowing users with impersonation permissions to access cached results of questions they should not be able to see. When a user runs a question that gets cached, an impersonated user can later run the same question and receive the cached results, which may include data they are not authorized to access. This issue does not affect the Open Source Edition of Metabase.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive data through cached question results, allowing impersonated users to see information they should not have access to.

Remediation

Users should upgrade to Metabase Enterprise versions 1.53.2, 1.52.11, 1.51.14, or 1.50.36. For those on versions 1.49.X, 1.48.X, or 1.47.X, which are vulnerable but do not have a patch available, upgrading to a major version with an available fix is recommended. Disabling question caching can be used as a temporary workaround.