CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-32382 – Snowflake credentials logged by the Metabase backend
https://notcve.org/view.php?id=CVE-2025-32382
10 Apr 2025 — Metabase is an open source Business Intelligence and Embedded Analytics tool. When admins change Snowflake connection details in Metabase (either updating a password or changing password to private key or vice versa), Metabase would not always purge older Snowflake connection details from the application database. In order to remove older and stale connection details, Metabase would try one connection method at a time and purge all the other connection methods from the application database. When Metabase fo... • https://github.com/metabase/metabase/security/advisories/GHSA-832j-56xw-5p7f • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-30371 – Metabase vulnerable to circumvention of local link access protection in GeoJson endpoint
https://notcve.org/view.php?id=CVE-2025-30371
28 Mar 2025 — Metabase is a business intelligence and embedded analytics tool. Versions prior to v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8 are vulnerable to circumvention of local link access protection in GeoJson endpoint. Self hosted Metabase instances that are using the GeoJson feature could be potentially impacted if their Metabase is colocated with other unsecured resources. This is fixed in v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8. Migrating to Metabase Cloud or redeploying Metabase in a dedicated subnet wit... • https://github.com/metabase/metabase/security/advisories/GHSA-8xf9-9jc8-qp98 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 10.0EPSS: 3%CPEs: 8EXPL: 0CVE-2023-37470 – Metabase vulnerable to remote code execution via POST /api/setup/validate API endpoint
https://notcve.org/view.php?id=CVE-2023-37470
04 Aug 2023 — Metabase is an open-source business intelligence and analytics platform. Prior to versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4, a vulnerability could potentially allow remote code execution on one's Metabase server. The core issue is that one of the supported data warehouses (an embedded in-memory database H2), exposes a number of ways for a connection string to include code that is then executed by the process running the embedded database. Because Metabase al... • https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 94%CPEs: 8EXPL: 40CVE-2023-38646 – Metabase Remote Code Execution
https://notcve.org/view.php?id=CVE-2023-38646
21 Jul 2023 — Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2. Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token is accessible even after the setup process has been completed. With this token a user is able to submit the setup functio... • https://packetstorm.news/files/id/174091 •
CVSS: 9.6EPSS: 0%CPEs: 6EXPL: 0CVE-2023-32680 – Missing SQL permissions check in metabase
https://notcve.org/view.php?id=CVE-2023-32680
18 May 2023 — Metabase is an open source business analytics engine. To edit SQL Snippets, Metabase should have required people to be in at least one group with native query editing permissions to a database–but affected versions of Metabase didn't enforce that requirement. This lack of enforcement meant that: Anyone–including people in sandboxed groups–could edit SQL snippets. They could edit snippets via the API or, in the application UI, when editing the metadata for a model based on a SQL question, and people in sandb... • https://github.com/metabase/metabase/pull/30852 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2023-23629 – Metabase subject to Improper Privilege Management
https://notcve.org/view.php?id=CVE-2023-23629
28 Jan 2023 — Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard subscription, add people with fewer data privileges, and all recipients of that subscription receive the same data: the charts shown in the email would abide by the privileges of the user who created the subscri... • https://github.com/metabase/metabase/security/advisories/GHSA-ch8f-hhq9-7gv5 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-269: Improper Privilege Management •
CVSS: 5.7EPSS: 0%CPEs: 6EXPL: 0CVE-2023-23628 – Metabase subject to Exposure of Sensitive Information to an Unauthorized Actor
https://notcve.org/view.php?id=CVE-2023-23628
28 Jan 2023 — Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the settings for a dashboard subscription, and another user has added users to that subscription, the sandboxed user is able to view the list of recipients for that subscription. This issue is patched in versions 0.43.7.... • https://github.com/metabase/metabase/security/advisories/GHSA-492f-qxr3-9rrv • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-39358 – Metabase vulnerable to circumvention of Locked parameter in Signed Embedding
https://notcve.org/view.php?id=CVE-2022-39358
26 Oct 2022 — Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6, it was possible to circumvent locked parameters when requesting data for a question in an embedded dashboard by constructing a malicious request to the backend. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, and 1.42.6. Metabase es un software de visualización de datos. En versiones anteriores a 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6 y 1.42.6, era posible omitir los parám... • https://github.com/metabase/metabase/security/advisories/GHSA-8qgm-9mj6-36h3 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-667: Improper Locking •
CVSS: 6.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-39359 – Metabase's GeoJSON validation doesn't prevent redirects to blocked URLs
https://notcve.org/view.php?id=CVE-2022-39359
26 Oct 2022 — Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, custom GeoJSON map URL address would follow redirects to addresses that were otherwise disallowed, like link-local or private-network. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase no longer follow redirects on GeoJSON map URLs. An environment variable `MB_CUSTOM_GEOJSON_ENABLED` was also added to disable custom GeoJSO... • https://github.com/metabase/metabase/commit/057e2d67fcbeb6b48db68b697e022243e3a5771e • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-39360 – Metabase SSO users able to circumvent IdP login by doing password reset
https://notcve.org/view.php?id=CVE-2022-39360
26 Oct 2022 — Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on (SSO) users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase now blocks password reset for all users who use SSO for their Metabase login. Metabase es un software de visualización de datos. • https://github.com/metabase/metabase/commit/edadf7303c3b068609f57ca073e67885d5c98730 • CWE-287: Improper Authentication CWE-304: Missing Critical Step in Authentication •