Research Notes
July 22, 2023

Advisory: Metabase Pre-Auth RCE (CVE-2023-38646)

No items found.
Creative Commons license


An unauthenticated attacker can obtain the setup token for an instance and use it to achieve remote code execution via an endpoint that allows you to validate a H2 database connection. When validating the database, the H2 JDBC driver allows for the attacker to achieve RCE.


An attacker can execute arbitrary Java code on the system, leading to arbitrary command execution.

Affected Software

Metabase open source before and Metabase Enterprise before allow attackers to execute arbitrary commands on the server.

Product Description

Metabase is an open source business intelligence tool that lets you create charts and dashboards using data from a variety of databases and data sources.


Upgrade to the latest version of Metabase > v1.46.6.1.

Metabase’s official advisory can be found here.

Blog Post

The blog post detailing the steps taken for the discovery of this vulnerability can be found here.


Shubham Shah - Assetnote Security Research Team

Maxwell Garrett

Written by:
Shubham Shah
Max Garrett
Your subscription could not be saved. Please try again.
Your subscription has been successful.

Get updates on our research

Subscribe to our newsletter and stay updated on the newest research, security advisories, and more!

Ready to get started?

Get on a call with our team and learn how Assetnote can change the way you secure your attack surface. We'll set you up with a trial instance so you can see the impact for yourself.