Security Patch for Lime BI - Remote Code Execution Vulnerability

Overview

A security vulnerability has been identified in Metabase (the underlying platform for Lime BI) that could potentially allow authenticated administrators to achieve Remote Code Execution (RCE) and Arbitrary File Read under certain circumstances.

Severity: High

Status: Patch available

Evidence of exploitation: None observed

Environment: On-premise

Vulnerability Details

What is affected?

  • All Lime BI installations running Metabase version 1.47 or later.
  • The hotfix is compatible with Metabase version 1.49 or later
  • Older versions (1.48 or earlier) require an upgrade before the hotfix can be applied

What is the risk?

Under specific circumstances, an authenticated Lime BI user with administrator rights may be able to execute code remotely on the server where Lime BI runs as well as reading sensitive files.

NB! This can only be exploited by a user who has direct administrator access to Lime BI. The affected endpoint is not used anywhere in the communication with Lime CRM.

Who discovered this?

This vulnerability was responsibly disclosed to Metabase by external security researchers and patched by Metabase. There is no evidence that this vulnerability has ever been exploited in the wild.

This issue is tracked as CVE-2026-33725. See the Metabase security advisory for details.

Solution

We have developed a hotfix that mitigates this vulnerability by updating the nginx proxy configuration to block specific HTTP requests that could exploit this vulnerability.

This hotfix blocks access to the vulnerable endpoint at the proxy layer. The next release of Lime BI on-premise will include will include a patched Metabase version and upgrading to this is the recommended long-term remediation.

Check Your Metabase Version

Before applying the patch, verify which version of Metabase you are running:

  1. Log in to your Lime BI instance
  2. Click on the gear icon (⚙️) in the top right corner
  3. Select About Lime BI

The version number will be displayed in the format v1.xx.x (for example, v1.49.0).

Prerequisites

  • Lime BI running Metabase version 1.49 or later

Installation Instructions

  1. Download the patch ZIP file from here
  2. Extract the ZIP file to a location on your Lime CRM server
  3. Right-click on apply-patch.bat and select “Run as Administrator”
  4. The script will automatically:
    • Create a backup of your existing nginx.conf
    • Apply the patch configuration
    • Restart the Lime CRM Webfront service (nginx)
  5. Verify the output says “Lime CRM Webfront service restarted successfully!” or check that the service is running in Windows Services

A backup of your nginx.conf configuration is automatically created in the same directory as your nginx.conf file before any changes are made.

For Older Versions (Pre-1.49)

Metabase versions older than 1.49 are no longer supported. If your Lime BI installation is running Metabase version 1.48 or earlier, you must upgrade before applying this hotfix.

Please contact our Support to schedule an upgrade of your Lime BI setup:

Recommendations

  1. Check your Metabase version using the instructions above
  2. Apply the hotfix as soon as possible if you're running Metabase 1.49 or later
  3. Schedule an upgrade if you're running version 1.48 or earlier
  4. As a general best practice, ensure Lime BI is not directly exposed to the public internet without appropriate access controls
  5. Contact Support if you need assistance
  • Last modified: 3 hours ago
  • by Johan Andersson