Main Vulnerability Database Vulnerabilities #VU130154

Improper access control in Metabase - CVE-2024-55951

Published: December 16, 2024 / Updated: May 5, 2026

Vulnerability identifier: #VU130154

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-55951

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Metabase

Affected software:
Metabase

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in field filter value caching when handling sandboxed dashboard filters. A remote user can access a dashboard with field filters to disclose sensitive information.

This only affects Metabase Enterprise instances with sandboxing configurations created in the affected release range, and user interaction is required.

How to mitigate CVE-2024-55951

Install security update from vendor's website.

Sources

https://github.com/metabase/metabase/security/advisories/GHSA-rhjf-q2qw-rvx3

Improper access control in Metabase - CVE-2024-55951

Detailed vulnerability description

How to mitigate CVE-2024-55951

Sources

Please verify you're human