Main Vulnerability Database Vulnerabilities #VU130138

Information disclosure in Metabase - #VU130138

Published: March 27, 2021 / Updated: May 5, 2026

Vulnerability identifier: #VU130138

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Metabase

Software vendor:
Metabase

Description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in filter list handling in the query builder when using filters of the type "A list of all values" with data sandboxing enabled. A remote user can use crafted filter requests to disclose sensitive information.

If field values are available, all values are shown to sandboxed users. If scan-data is unavailable, the first request returns correct values, but subsequent requests from any users may see the results from the first request.

Remediation

Install security update from vendor's website.

External links

https://github.com/metabase/metabase/security/advisories/GHSA-m8w4-6wxv-8v6m

Information disclosure in Metabase - #VU130138

Description

Remediation

External links

Please verify you're human