An independent security researcher submitted a severe issue with Metabase.
While we have no evidence that the vulnerability was ever exploited in the wild, and exploiting this vulnerability isn’t simple, **if you are self-hosting Metabase, you should IMMEDIATELY update your Metabase instances.
The vulnerability
The vulnerability allows an authenticated user (including embedding users) to retrieve sensitive information from a Metabase instance, including database access credentials. You can view the security advisory in full at https://github.com/metabase/metabase/security/advisories/GHSA-vcj8-rcm8-gfj9
Are you affected?
Metabase Cloud customers don't need to upgrade
No action needed. We've already upgraded your Metabase, and you're no longer vulnerable.
All self-hosted Metabases, including customers, should upgrade immediately
You should immediately upgrade to the latest point version of whichever Metabase version you're running.
See the list of versions below and find the latest point version for the Metabase version you're running. If you're running a point version below that version, you are still vulnerable and should upgrade immediately.
For example, if you are running 1.58.6, you should upgrade to 1.58.7 release or later. If you’re running a version of Metabase below version 55, you should upgrade to one of the versions listed below. You can find your current version by clicking on the "gear" icon in the upper right and selecting "About Metabase."
If you're running a custom fork of Metabase, reach out to us for the patches
Please reply to this email or email us at help@metabase.com so we can provide you the appropriate patches.
Minimum safe releases for each Metabase version
The downloads below include the minimum safe release for each Metabase version.
55
v0.55.20
Docker image: metabase/metabase:v0.55.20
Download the JAR here: https://downloads.metabase.com/v0.55.20/metabase.jar
v1.55.20
Docker image: metabase/metabase-enterprise:v1.55.20
Download the JAR here: https://downloads.metabase.com/enterprise/v1.55.20/metabase.jar
56
v0.56.20
Docker image: metabase/metabase:v0.56.20
Download the JAR here: https://downloads.metabase.com/v0.56.20/metabase.jar
v1.56.20
Docker image: metabase/metabase-enterprise:v1.56.20
Download the JAR here: https://downloads.metabase.com/enterprise/v1.56.20/metabase.jar
57
v0.57.13
Docker image: metabase/metabase:v0.57.13
Download the JAR here: https://downloads.metabase.com/v0.57.13/metabase.jar
v1.57.13
Docker image: metabase/metabase-enterprise:v1.57.13
Download the JAR here: https://downloads.metabase.com/enterprise/v1.57.13/metabase.jar
58
v0.58.7
Docker image: metabase/metabase/v0.58.7
Download the JAR here: https://downloads.metabase.com/v0.58.7/metabase.jar
v1.58.7
Docker image: metabase/metabase-enterprise/v1.58.7
Download the JAR here: https://downloads.metabase.com/enterprise/v1.58.7/metabase.jar