Exposure of Sensitive Information Through Metadata in Metabase - #VU130130

CSH
CYBERSECURITY HELP
Sign In REGISTER
 
Main Vulnerability Database Vulnerabilities #VU130130

Exposure of Sensitive Information Through Metadata in Metabase - #VU130130

Published: August 26, 2021 / Updated: May 5, 2026


Vulnerability identifier: #VU130130
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-1230
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vulnerable software:
Metabase
Software vendor:
Metabase

Description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the dashboard subscriptions API endpoint when handling requests for dashboard subscription metadata. A remote user can send a request to fetch metadata about dashboards and subscriptions they do not have read access to to disclose sensitive information.

The exposed metadata may include dashboard names, creators, creation times, card names, descriptions, visualization types, and subscription recipient details such as user IDs, email addresses, and Slack channels, but does not include query results or text card contents.


Remediation

Install security update from vendor's website.

External links