Main Vulnerability Database Vulnerabilities #VU130151

Input validation error in Metabase - CVE-2022-39361

Published: October 24, 2022 / Updated: May 5, 2026

Vulnerability identifier: #VU130151

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-39361

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Metabase

Software vendor:
Metabase

Description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper input validation in H2 native query handling for the sample database when processing SQL queries on H2 databases. A remote user can submit specially crafted SQL queries containing DDL statements to execute arbitrary code.

The issue is limited to users able to write SQL queries on H2 databases.

Remediation

Install security update from vendor's website.

External links

https://github.com/metabase/metabase/security/advisories/GHSA-gqpj-wcr3-p88v

Input validation error in Metabase - CVE-2022-39361

Description

Remediation

External links

Please verify you're human