====== Security Patch for Lime BI - Remote Code Execution Vulnerability ======
===== Overview =====
A security vulnerability has been identified in Metabase (the underlying platform for Lime BI) that could potentially allow authenticated administrators to achieve Remote Code Execution (RCE) and Arbitrary File Read under certain circumstances.

**Severity:** High

**Status:** Patch available

**Evidence of exploitation:** None observed

**Environment**: On-premise

===== Vulnerability Details =====
==== What is affected? ====
  * All Lime BI installations running Metabase version 1.47 or later.
  * The hotfix is compatible with Metabase version 1.49 or later
  * Older versions (1.48 or earlier) require an upgrade before the hotfix can be applied
==== What is the risk? ====
Under specific circumstances, an authenticated Lime BI user with administrator rights may be able to execute code remotely on the server where Lime BI runs as well as reading sensitive files.
<WRAP info 70%>
NB! This can only be exploited by a user who has direct administrator access to Lime BI. The affected endpoint is not used anywhere in the communication with Lime CRM.
</WRAP>
==== Who discovered this? ====
This vulnerability was responsibly disclosed to Metabase by external security researchers and patched by Metabase. There is no evidence that this vulnerability has ever been exploited in the wild. 

This issue is tracked as CVE-2026-33725. See the [[https://github.com/metabase/metabase/security/advisories/GHSA-fppj-vcm3-w229|Metabase security advisory]] for details.
===== Solution =====
We have developed a hotfix that mitigates this vulnerability by updating the nginx proxy configuration to block specific HTTP requests that could exploit this vulnerability.

This hotfix blocks access to the vulnerable endpoint at the proxy layer. The next release of Lime BI on-premise will include will include a patched Metabase version and upgrading to this is the recommended long-term remediation.
==== Check Your Metabase Version ====
Before applying the patch, verify which version of Metabase you are running:
  - Log in to your Lime BI instance
  - Click on the **gear icon** (⚙️) in the top right corner
  - Select **About Lime BI**
The version number will be displayed in the format ''v1.xx.x'' (for example, ''v1.49.0'').
==== Prerequisites ====
  * Lime BI running **Metabase version 1.49 or later**
==== Installation Instructions ====
  - **Download the patch** ZIP file from [[https://builds.lundalogik.com/api/v1/builds/lime-bi-patch-2602/versions/latest/file|here]]
  - **Extract the ZIP file** to a location on your Lime CRM server
  - **Right-click** on ''apply-patch.bat'' and select **"Run as Administrator"**
  - The script will automatically:
    * Create a backup of your existing nginx.conf
    * Apply the patch configuration
    * Restart the Lime CRM Webfront service (nginx)
  - **Verify** the output says "Lime CRM Webfront service restarted successfully!" or check that the service is running in Windows Services
<WRAP tip>
A backup of your nginx.conf configuration is automatically created in the same directory as your nginx.conf file before any changes are made.
</WRAP>
==== For Older Versions (Pre-1.49) ====
<WRAP important>
**Metabase versions older than 1.49 are no longer supported.** If your Lime BI installation is running Metabase version **1.48 or earlier**, you must upgrade before applying this hotfix.
</WRAP>
Please contact our Support to schedule an upgrade of your Lime BI setup:
  * https://customer.lime-technologies.com/
===== Recommendations =====
  - **Check your Metabase version** using the instructions above
  - **Apply the hotfix as soon as possible** if you're running Metabase 1.49 or later
  - **Schedule an upgrade** if you're running version 1.48 or earlier
  - As a general best practice, **ensure Lime BI is not directly exposed to the public internet without appropriate access controls**
  - **Contact Support** if you need assistance