CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-32382 – Snowflake credentials logged by the Metabase backend
https://notcve.org/view.php?id=CVE-2025-32382
10 Apr 2025 — Metabase is an open source Business Intelligence and Embedded Analytics tool. When admins change Snowflake connection details in Metabase (either updating a password or changing password to private key or vice versa), Metabase would not always purge older Snowflake connection details from the application database. In order to remove older and stale connection details, Metabase would try one connection method at a time and purge all the other connection methods from the application database. When Metabase fo... • https://github.com/metabase/metabase/security/advisories/GHSA-832j-56xw-5p7f • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-30371 – Metabase vulnerable to circumvention of local link access protection in GeoJson endpoint
https://notcve.org/view.php?id=CVE-2025-30371
28 Mar 2025 — Metabase is a business intelligence and embedded analytics tool. Versions prior to v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8 are vulnerable to circumvention of local link access protection in GeoJson endpoint. Self hosted Metabase instances that are using the GeoJson feature could be potentially impacted if their Metabase is colocated with other unsecured resources. This is fixed in v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8. Migrating to Metabase Cloud or redeploying Metabase in a dedicated subnet wit... • https://github.com/metabase/metabase/security/advisories/GHSA-8xf9-9jc8-qp98 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-27141 – Metabase Enterprise Edition allows cached questions to leak data to impersonated users
https://notcve.org/view.php?id=CVE-2025-27141
24 Feb 2025 — Metabase Enterprise Edition is the enterprise version of Metabase business intelligence and data analytics software. Starting in version 1.47.0 and prior to versions 1.50.36, 1.51.14, 1.52.11, and 1.53.2 of Metabase Enterprise Edition, users with impersonation permissions may be able to see results of cached questions, even if their permissions don’t allow them to see the data. If some user runs a question which gets cached, and then an impersonated user runs that question, then the impersonated user sees t... • https://github.com/metabase/metabase/security/advisories/GHSA-6cc4-h534-xh5p • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55951 – Metabase sandboxed users could see filter values from other sandboxed users
https://notcve.org/view.php?id=CVE-2024-55951
16 Dec 2024 — Metabase is an open-source data analytics platform. For new sandboxing configurations created in 1.52.0 till 1.52.2.4, sandboxed users are able to see field filter values from other sandboxed users. This is fixed in 1.52.2.5. Users on 1.52.0 or 1.52.1 or 1.5.2 should upgrade to 1.52.2.5. There are no workarounds for this issue aside from upgrading. • https://downloads.metabase.com/v0.52.2.5/metabase.jar • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •