Metabase Pre-Auth Remote Code Execution (CVE-2023-38646)
Overview
Metabase Pre-Auth Remote Code Execution, tracked as CVE-2023-38646, affects vulnerable Metabase Open Source and Enterprise deployments. Metabase is a business intelligence and analytics platform, so a server-side compromise can expose dashboards, connected data sources, credentials, and internal network access paths.
Vulnerability Overview
CVE-2023-38646 allows attackers to execute arbitrary commands on the Metabase server at the privilege level of the Metabase process. Authentication is not required for exploitation, which makes exposed vulnerable instances especially dangerous.
The issue is associated with unsafe handling around setup and database connection behavior. In vulnerable deployments, an attacker can reach a pre-authentication path that leads to command execution on the host.
Impact
The vulnerability is rated Critical with a CVSS 3.1 score of 9.8. Successful exploitation can allow remote command execution, compromise of application secrets, and access to connected data infrastructure from the Metabase server context.
For organizations using Metabase to connect to production databases, the impact can extend beyond the application host because stored datasource credentials and internal network reachability may become exposed.
Vulnerability Scope
The affected scope includes Metabase Open Source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1. Metabase also released fixed versions for older supported branches: 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
The highest-risk deployments are internet-facing Metabase instances that have not been upgraded to a fixed release.
Lab Focus
This Hackviser lab focuses on understanding how pre-authentication application setup behavior can become a remote code execution path. You will practice identifying vulnerable Metabase versions, interpreting the fixed release branches, and connecting server-side command execution to data platform risk.