CVE-2026-22805

Metabase is affected when a self-hosted instance that allows users to create subscriptions is colocated with other unsecured resources. The issue is fixed in Metabase versions 55.13, 56.3, and 57.1. If using earlier versions, upgrade to one of these fixed releases to mitigate the vulnerability.

CVE-2021-41277

Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map admin-settings-maps-custom maps-add a map support and potential local file inclusion including environment variables. URLs were not validated prior to being...

EUVD-2022-41824

Malicious code in bioql PyPI...

CVE-2022-39360

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on SSO users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP. This issue is patched in versions...

CVE-2025-32382

Metabase is an open source Business Intelligence and Embedded Analytics tool. When admins change Snowflake connection details in Metabase either updating a password or changing password to private key or vice versa, Metabase would not always purge older Snowflake connection details from the...

CVE-2025-30371

Metabase is a business intelligence and embedded analytics tool. Versions prior to v0.52.16.4, v1.52.16.4, v0.53.8, and v1.53.8 are vulnerable to circumvention of local link access protection in GeoJson endpoint. Self hosted Metabase instances that are using the GeoJson feature could be potential...

CVE-2022-24854

Metabase is an open source business intelligence and analytics application. SQLite has an FDW-like feature called ATTACH DATABASE, which allows connecting multiple SQLite databases via the initial connection. If the attacker has SQL permissions to at least one SQLite database, then it can attach...

CVE-2022-24855

Metabase is an open source business intelligence and analytics application. In affected versions Metabase ships with an internal development endpoint /internal that can allow for cross site scripting XSS attacks, potentially leading to phishing attempts with malicious links that could lead to...

CVE-2022-39361

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9, H2 Sample Database could allow Remote Code Execution RCE, which can be abused by users able to write SQL queries on H2 databases. This issue is patched in versions 0.44.5...

CVE-2024-55951

Metabase is an open-source data analytics platform. For new sandboxing configurations created in 1.52.0 till 1.52.2.4, sandboxed users are able to see field filter values from other sandboxed users. This is fixed in 1.52.2.5. Users on 1.52.0 or 1.52.1 or 1.5.2 should upgrade to 1.52.2.5. There ar...

CVE-2023-32680 Missing SQL permissions check in metabase

Metabase is an open source business analytics engine. To edit SQL Snippets, Metabase should have required people to be in at least one group with native query editing permissions to a database–but affected versions of Metabase didn't enforce that requirement. This lack of enforcement meant that:...

PT-2023-23956 · Metabase · Metabase

Name of the Vulnerable Software and Affected Versions: Metabase versions prior to 0.44.7 Metabase versions prior to 0.45.4 Metabase versions prior to 0.46.3 Metabase versions prior to 1.44.7 Metabase versions prior to 1.45.4 Metabase versions prior to 1.46.3 Description: Metabase is an open sourc...

CVE-2022-24853 File system exposure in Metabase

Metabase is an open source business intelligence and analytics application. Metabase has a proxy to load arbitrary URLs for JSON maps as part of our GeoJSON support. While we do validation to not return contents of arbitrary URLs, there is a case where a particularly crafted request could result ...

CVE-2022-24855 XSS vulnerability in Metabase

Metabase is an open source business intelligence and analytics application. In affected versions Metabase ships with an internal development endpoint /internal that can allow for cross site scripting XSS attacks, potentially leading to phishing attempts with malicious links that could lead to...