Main Vulnerability Database Vulnerabilities #VU130142

Information disclosure in Metabase - CVE-2022-39358

Published: October 24, 2022 / Updated: May 5, 2026

Vulnerability identifier: #VU130142

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-39358

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Metabase

Software vendor:
Metabase

Description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the backend request handling for embedded dashboard questions when processing crafted requests for data with locked parameters. A remote attacker can send a specially crafted request to disclose sensitive information.

The issue affects signed embedding and allows locked parameters to be circumvented for requests involving a question in an embedded dashboard.

Remediation

Install security update from vendor's website.

External links

https://github.com/metabase/metabase/security/advisories/GHSA-8qgm-9mj6-36h3

Information disclosure in Metabase - CVE-2022-39358

Description

Remediation

External links

Please verify you're human