Advisory: Metabase Pre-Auth RCE (CVE-2023-38646)

Jul 22, 2023


An unauthenticated attacker can obtain the setup token for an instance and use it to achieve remote code execution via an endpoint that allows you to validate a H2 database connection. When validating the database, the H2 JDBC driver allows for the attacker to achieve RCE.


An attacker can execute arbitrary Java code on the system, leading to arbitrary command execution.

Affected Software

Metabase open source before and Metabase Enterprise before allow attackers to execute arbitrary commands on the server.

Product Description

Metabase is an open source business intelligence tool that lets you create charts and dashboards using data from a variety of databases and data sources.


Upgrade to the latest version of Metabase > v1.46.6.1.

Metabase’s official advisory can be found here.

Blog Post

The blog post detailing the steps taken for the discovery of this vulnerability can be found here.


Shubham Shah - Assetnote Security Research Team

Maxwell Garrett

See Assetnote in action

Find out how Assetnote can help you lock down your external attack surface.

Use the lead form below, or alternatively contact us via email by clicking here.