Metabase’s channel test endpoint can be used by a client to issue requests to arbitrary internal host addresses. This Server‑Side Request Forgery flaw allows an attacker with access to the endpoint to read data from services that are otherwise isolated behind internal network boundaries, potentially exposing sensitive information. The weakness is classified as CWE-918, indicating improper validation of user‑controlled request data. The CVSS score of 2.1 reflects a low severity but the flaw still exposes internal resources to unauthenticated users if the endpoint is reachable.

Versions of Metabase older than 55.13, 56.3, and 57.1 are affected. Both the standard and enterprise editions include the vulnerable channel test endpoint. The flaw exists in the open‑source and beta releases of Metabase as well, as suggested by the affected‑CPE data. Updating to any release equal to or newer than 55.13 (for the 55 series), 56.3, or 57.1 removes the vulnerability.

The CVSS score of 2.1 indicates a low impact; however, the EPSS score of less than 1% suggests the risk of exploitation is very low at the time of this assessment. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers would need to deliver a request to the channel test endpoint, which typically requires network connectivity to the Metabase instance. Because the flaw manifests only when the endpoint is exposed, the risk is further mitigated if the service is behind authentication or network restrictions.