A security vulnerability has been identified in Metabase (the underlying platform for Lime BI) that could potentially allow authenticated administrators to achieve Remote Code Execution (RCE) and Arbitrary File Read under certain circumstances.
Severity: High
Status: Patch available
Evidence of exploitation: None observed
Environment: On-premise
Under specific circumstances, an authenticated Lime BI user with administrator rights may be able to execute code remotely on the server where Lime BI runs as well as reading sensitive files.
NB! This can only be exploited by a user who has direct administrator access to Lime BI. The affected endpoint is not used anywhere in the communication with Lime CRM.
This vulnerability was responsibly disclosed to Metabase by external security researchers and patched by Metabase. There is no evidence that this vulnerability has ever been exploited in the wild.
This issue is tracked as CVE-2026-33725. See the Metabase security advisory for details.
We have developed a hotfix that mitigates this vulnerability by updating the nginx proxy configuration to block specific HTTP requests that could exploit this vulnerability.
This hotfix blocks access to the vulnerable endpoint at the proxy layer. The next release of Lime BI on-premise will include will include a patched Metabase version and upgrading to this is the recommended long-term remediation.
Before applying the patch, verify which version of Metabase you are running:
The version number will be displayed in the format v1.xx.x (for example, v1.49.0).
apply-patch.bat and select “Run as Administrator”A backup of your nginx.conf configuration is automatically created in the same directory as your nginx.conf file before any changes are made.
Metabase versions older than 1.49 are no longer supported. If your Lime BI installation is running Metabase version 1.48 or earlier, you must upgrade before applying this hotfix.
Please contact our Support to schedule an upgrade of your Lime BI setup: