diff --git a/.github/workflows/address-sanitizer.yml b/.github/workflows/address-sanitizer.yml
index dde5bcc..4935b0e 100644
--- a/.github/workflows/address-sanitizer.yml
+++ b/.github/workflows/address-sanitizer.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
   schedule:
     - cron: '13 15 * * SUN'
+
+permissions: {}
+
 jobs:
   build:
     name: Address Sanitizer
diff --git a/.github/workflows/clang-analyzer.yml b/.github/workflows/clang-analyzer.yml
index 1c5460f..0fd30ab 100644
--- a/.github/workflows/clang-analyzer.yml
+++ b/.github/workflows/clang-analyzer.yml
@@ -6,6 +6,8 @@ on:
   schedule:
     - cron: '3 15 * * SUN'
 
+permissions: {}
+
 jobs:
   clang-analyzer:
     name: Clang Static Analysis
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index e9969c7..7c36265 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -8,6 +8,8 @@ on:
   schedule:
     - cron: '0 18 * * 0'
 
+permissions: {}
+
 jobs:
   CodeQL-Build:
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5f13aac..fd62a89 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,6 +10,8 @@ on:
     types:
       - published
 
+permissions: {}
+
 jobs:
   build_wheels:
     name: Build wheels on ${{ matrix.os }}
diff --git a/.github/workflows/test-libmaxminddb.yml b/.github/workflows/test-libmaxminddb.yml
index 73c78b2..0b44861 100644
--- a/.github/workflows/test-libmaxminddb.yml
+++ b/.github/workflows/test-libmaxminddb.yml
@@ -6,6 +6,8 @@ on:
   schedule:
     - cron: '3 15 * * SUN'
 
+permissions: {}
+
 jobs:
   build:
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index c1f91ac..500d20c 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -6,6 +6,8 @@ on:
   schedule:
     - cron: '3 15 * * SUN'
 
+permissions: {}
+
 jobs:
   build:
 
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index c09cf12..7ca9cb2 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     branches: ["**"]
 
+permissions: {}
+
 jobs:
   zizmor:
     name: zizmor latest via PyPI
diff --git a/HISTORY.rst b/HISTORY.rst
index 0456b44..4f262dc 100644
--- a/HISTORY.rst
+++ b/HISTORY.rst
@@ -7,6 +7,8 @@ History
 ++++++++++++++++++
 
 * The vendored ``libmaxminddb`` has been updated to 1.12.2.
+* The C extension now checks that the database metadata lookup was
+  successful.
 
 2.6.3 (2025-01-09)
 ++++++++++++++++++
diff --git a/extension/maxminddb.c b/extension/maxminddb.c
index d685792..5faf045 100644
--- a/extension/maxminddb.c
+++ b/extension/maxminddb.c
@@ -351,7 +351,14 @@ static PyObject *Reader_metadata(PyObject *self, PyObject *UNUSED(args)) {
     }
 
     MMDB_entry_data_list_s *entry_data_list;
-    MMDB_get_metadata_as_entry_data_list(mmdb_obj->mmdb, &entry_data_list);
+    int status =
+        MMDB_get_metadata_as_entry_data_list(mmdb_obj->mmdb, &entry_data_list);
+    if (status != MMDB_SUCCESS) {
+        PyErr_Format(MaxMindDB_error,
+                     "Error decoding metadata. %s",
+                     MMDB_strerror(status));
+        return NULL;
+    }
     MMDB_entry_data_list_s *original_entry_data_list = entry_data_list;
 
     PyObject *metadata_dict = from_entry_data_list(&entry_data_list);