diff --git a/internal/formats/common/cyclonedxhelpers/decoder.go b/internal/formats/common/cyclonedxhelpers/decoder.go
index 566ffd1418f..43ff2607b44 100644
--- a/internal/formats/common/cyclonedxhelpers/decoder.go
+++ b/internal/formats/common/cyclonedxhelpers/decoder.go
@@ -46,7 +46,7 @@ func GetDecoder(format cyclonedx.BOMFileFormat) sbom.Decoder {
 
 func toSyftModel(bom *cyclonedx.BOM) (*sbom.SBOM, error) {
 	meta := source.Metadata{}
-	if bom.Metadata != nil {
+	if bom.Metadata != nil && bom.Metadata.Component != nil {
 		meta = decodeMetadata(bom.Metadata.Component)
 	}
 	s := &sbom.SBOM{
diff --git a/internal/formats/common/cyclonedxhelpers/decoder_test.go b/internal/formats/common/cyclonedxhelpers/decoder_test.go
index e18e89f0a33..40b95b9dd4f 100644
--- a/internal/formats/common/cyclonedxhelpers/decoder_test.go
+++ b/internal/formats/common/cyclonedxhelpers/decoder_test.go
@@ -258,3 +258,18 @@ func Test_decode(t *testing.T) {
 		})
 	}
 }
+
+func Test_missingDataDecode(t *testing.T) {
+	bom := &cyclonedx.BOM{
+		Metadata:   nil,
+		Components: &[]cyclonedx.Component{},
+	}
+
+	_, err := toSyftModel(bom)
+	assert.NoError(t, err)
+
+	bom.Metadata = &cyclonedx.Metadata{}
+
+	_, err = toSyftModel(bom)
+	assert.NoError(t, err)
+}