Please upgrade your Metabase immediately

We’ve patched an additional vulnerability since this post was published.

TL;DR: Upgrade your Metabase installation IMMEDIATELY.

A recently discovered security vulnerability almost certainly affects you (see below for details), and we recommend you upgrade your Metabase installation right away.

If you are a Metabase Enterprise customer

You can access the latest patched release version at:

• JAR: https://downloads.metabase.com/enterprise/v1.49.7/metabase.jar
• Docker image via metabase/metabase-enterprise:latest or metabase/metabase-enterprise:v1.46.6.1.

If you are using the open source edition of Metabase

You can access the latest patched release version at:

• JAR: https://downloads.metabase.com/v0.49.7/metabase.jar
• Docker image via metabase/metabase:latest or metabase/metabase:v0.46.6.1.

For older versions of Metabase

We have also issued the following versions to patch prior versions of Metabase that were affected by the vulnerability:

• v0.45.4.1 and v1.45.4.1
• v0.44.7.1 and v1.44.7.1
• v0.43.7.2 and v1.43.7.2

These versions are available at https://github.com/metabase/metabase/releases.

What happened?

We were informed by a third party security researcher that they discovered a vulnerability in Metabase.

What is the severity of the vulnerability?

Extremely severe. An unauthenticated attacker can run arbitrary commands with the same privileges as the Metabase server on the server you are running Metabase on.

Has this been exploited?

To the best of our current knowledge, there has been no known exploitation of this vulnerability. We audited our own systems, and were not able to find any malicious use of this.

If I am running a fork, what should I do?

Reach out to help@metabase.com and we’ll walk you through patching your systems.

Am I at risk?

If you are not on Metabase Cloud and you are running version X.43 of Metabase or later, you are at risk. Please upgrade immediately.

I’m a Metabase Cloud customer, do I need to do anything?

You don’t need to do anything. We already fixed and patched your Metabase as soon as we knew about the vulnerability. We have also audited network access to all customer instances and have not been able to find any non-pen test exploitation of this vulnerability.

Will you release any information about the vulnerability?

Yes, we’ll be releasing the patch publicly, as well as a CVE and an explanation in two weeks. We’re delaying release to give our install base a bit of extra time before this is widely exploited.