Main Vulnerability Database Vulnerabilities #VU130149

Product UI does not warn user of unsafe actions in Metabase - CVE-2022-39362

Published: October 24, 2022 / Updated: May 5, 2026

Vulnerability identifier: #VU130149

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-39362

CWE-ID: CWE-356

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Metabase

Software vendor:
Metabase

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries.

The vulnerability exists due to product UI does not warn user of unsafe actions in the native query editor when handling unsaved SQL queries from a queryhash. A remote attacker can trick a victim into opening a crafted query link to execute arbitrary SQL queries.

Unsaved SQL queries are automatically executed without requiring the user to manually run them.

Remediation

Install security update from vendor's website.

External links

https://github.com/metabase/metabase/security/advisories/GHSA-93wj-fgjg-r238

Product UI does not warn user of unsafe actions in Metabase - CVE-2022-39362

Description

Remediation

External links

Please verify you're human