{"api_version":"1","generated_at":"2026-04-23T00:41:39+00:00","cve":"CVE-2026-22805","urls":{"html":"https://cve.report/CVE-2026-22805","api":"https://cve.report/api/cve/CVE-2026-22805.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-22805","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-22805"},"summary":{"title":"Metabase channel test endpoint can reach internal local addresses","description":"Metabase is an open-source data analytics platform. Prior to 55.13, 56.3, and 57.1, self-hosted Metabase instances that allow users to create subscriptions could be potentially impacted if their Metabase is colocated with other unsecured resources. This vulnerability is fixed in 55.13, 56.3, and 57.1.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-01-12 23:15:53","updated_at":"2026-04-10 14:55:49"},"problem_types":["CWE-918","CWE-918 CWE-918: Server-Side Request Forgery (SSRF)"],"metrics":[{"version":"4.0","source":"security-advisories@github.com","type":"Secondary","score":"2.1","severity":"LOW","vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"PRESENT","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"DECLARED","score":"2.1","severity":"LOW","vector":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N","data":{"attackComplexity":"HIGH","attackRequirements":"PRESENT","attackVector":"NETWORK","baseScore":2.1,"baseSeverity":"LOW","privilegesRequired":"HIGH","subAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"NONE","userInteraction":"NONE","vectorString":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE"}},{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"8.6","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}}],"references":[{"url":"https://github.com/metabase/metabase/security/advisories/GHSA-2wgg-7r2p-cmqx","name":"https://github.com/metabase/metabase/security/advisories/GHSA-2wgg-7r2p-cmqx","refsource":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-22805","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22805","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"metabase","product":"metabase","version":"affected >= 0.57.0-beta, < 57.1","platforms":[]},{"source":"CNA","vendor":"metabase","product":"metabase","version":"affected >= 0.56.0-beta, < 56.3","platforms":[]},{"source":"CNA","vendor":"metabase","product":"metabase","version":"affected < 55.13","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"22805","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"metabase","cpe5":"metabase","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"22805","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"metabase","cpe5":"metabase","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-22805","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-01-13T14:13:44.384619Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-01-13T19:07:47.948Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"metabase","vendor":"metabase","versions":[{"status":"affected","version":">= 0.57.0-beta, < 57.1"},{"status":"affected","version":">= 0.56.0-beta, < 56.3"},{"status":"affected","version":"< 55.13"}]}],"descriptions":[{"lang":"en","value":"Metabase is an open-source data analytics platform. Prior to 55.13, 56.3, and 57.1, self-hosted Metabase instances that allow users to create subscriptions could be potentially impacted if their Metabase is colocated with other unsecured resources. This vulnerability is fixed in 55.13, 56.3, and 57.1."}],"metrics":[{"cvssV4_0":{"attackComplexity":"HIGH","attackRequirements":"PRESENT","attackVector":"NETWORK","baseScore":2.1,"baseSeverity":"LOW","privilegesRequired":"HIGH","subAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"NONE","userInteraction":"NONE","vectorString":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-918","description":"CWE-918: Server-Side Request Forgery (SSRF)","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-01-12T22:36:35.272Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/metabase/metabase/security/advisories/GHSA-2wgg-7r2p-cmqx","tags":["x_refsource_CONFIRM"],"url":"https://github.com/metabase/metabase/security/advisories/GHSA-2wgg-7r2p-cmqx"}],"source":{"advisory":"GHSA-2wgg-7r2p-cmqx","discovery":"UNKNOWN"},"title":"Metabase channel test endpoint can reach internal local addresses"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-22805","datePublished":"2026-01-12T22:36:35.272Z","dateReserved":"2026-01-09T22:50:10.287Z","dateUpdated":"2026-01-13T19:07:47.948Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-01-12 23:15:53","lastModifiedDate":"2026-04-10 14:55:49","problem_types":["CWE-918","CWE-918 CWE-918: Server-Side Request Forgery (SSRF)"],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"PRESENT","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*","versionEndExcluding":"0.55.13","matchCriteriaId":"F4A0D575-8CFF-4FFD-8139-C8AB9A2FBC08"},{"vulnerable":true,"criteria":"cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*","versionEndExcluding":"1.55.13","matchCriteriaId":"40AAAF84-1F5E-4A75-84BA-A42A95AE1930"},{"vulnerable":true,"criteria":"cpe:2.3:a:metabase:metabase:*:*:*:*:-:*:*:*","versionStartIncluding":"0.56.0","versionEndExcluding":"0.56.3","matchCriteriaId":"38B54579-0285-4B58-A30F-1ECCAA9C6F40"},{"vulnerable":true,"criteria":"cpe:2.3:a:metabase:metabase:*:*:*:*:enterprise:*:*:*","versionStartIncluding":"1.56.0","versionEndExcluding":"1.56.3","matchCriteriaId":"A939F298-EE96-4017-8322-192BA080F500"},{"vulnerable":true,"criteria":"cpe:2.3:a:metabase:metabase:0.57.0:beta:*:*:-:*:*:*","matchCriteriaId":"6205A3AA-7DDB-4450-9340-61EACE075F0C"},{"vulnerable":true,"criteria":"cpe:2.3:a:metabase:metabase:1.57.0:beta:*:*:enterprise:*:*:*","matchCriteriaId":"F7765873-8C95-4AF8-A756-23C8AD7A1074"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"22805","Ordinal":"1","Title":"Metabase channel test endpoint can reach internal local addresse","CVE":"CVE-2026-22805","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"22805","Ordinal":"1","NoteData":"Metabase is an open-source data analytics platform. Prior to 55.13, 56.3, and 57.1, self-hosted Metabase instances that allow users to create subscriptions could be potentially impacted if their Metabase is colocated with other unsecured resources. This vulnerability is fixed in 55.13, 56.3, and 57.1.","Type":"Description","Title":"Metabase channel test endpoint can reach internal local addresse"}]}}}