Cyber Threat Brief — April 29 2026
⚠️ This report is AI-generated. Always validate findings.
1. Metabase Enterprise RCE via H2 JDBC INIT Injection — CVE-2026-33725
TL;DR: A public Python PoC (hakaioffsec) automates RCE and arbitrary file read on Metabase Enterprise via crafted serialization import that injects INIT into the H2 JDBC connection string. CVSS 7.2 — requires admin auth, but admin-to-RCE with a push-button exploit drops the bar significantly.
What’s New:
- hakaioffsec/CVE-2026-33725 PoC published on GitHub; single Python script chains the full attack: craft archive → POST
/api/ee/serialization/import→ H2 INIT injection → arbitrary SQL during sync → OS command execution - Affects all Metabase Enterprise editions with serialization (back to v1.47 through v1.59.3); OSS editions are not affected
- CWE-502 deserialization flaw: the import endpoint trusts attacker-controlled JDBC properties inside the serialization archive without sanitization
- No ITW exploitation confirmed yet, but exploit is trivial to execute given admin credentials
- Patched in versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, 1.59.4
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST /api/ee/serialization/import with crafted archive | Exploitation endpoint | T1190 | Web/app access logs | Alert on unexpected POST to serialization import endpoint |
H2 JDBC INIT property in serialization metadata | Injection payload | T1059.004 | Metabase application logs | Hunt for INIT keyword in DB connection configs |
Unexpected java.lang.Runtime.exec() from Metabase JVM | RCE execution | T1059 | EDR / process telemetry | Alert on Metabase (Java) spawning shell processes |
Arbitrary file reads (/etc/passwd, /etc/shadow, config files) | Data exfiltration | T1005 | File integrity monitoring | Monitor sensitive file access from Metabase process |
| hakaioffsec PoC User-Agent or request patterns | Exploit tooling | T1595.002 | WAF / reverse proxy logs | Block or alert on known PoC signatures |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No rule for Metabase serialization import abuse or H2 JDBC injection |
| Elastic | None | No rule for Java process spawning shell via H2 INIT injection |
| Sigma | Suspicious Java Child Process (generic) | No Metabase-specific rule; generic Java shell-spawn may catch post-exploitation |
Sources: GBHackers · hakaioffsec PoC · Tenable · CyberPress
Status Updates
- CVE-2026-32202 (Windows Shell): CISA added to KEV catalog April 28; federal deadline May 12, 2026. Prioritize patching — APT28 NTLM coercion campaign ongoing. Original brief.