2 min read
‧ 2 min read

Sho Odagiri, a security researcher, reported a vulnerability in Metabase’s notification API. The vulnerability allowed an authenticated user to craft a specially formatted notification template that could extract database connection details, including credentials, and send them via outbound email.
We have no evidence that this vulnerability was exploited by any customer or malicious actor prior to the fix being released.
See the Fixed versions below, and find the latest point version for the Metabase version you’re running. If you’re running a point version below that version, you’re still vulnerable and should upgrade immediately.
Two independent changes introduced this vulnerability:
Together, these changes made it possible for an authenticated user to write a template that could extract sensitive database details via an outgoing email.
Part of what made this vulnerability difficult to catch is that the Handlebars library did not clearly document a method resolver that allows templates to invoke arbitrary Java methods.
We addressed this vulnerability through two fixes:
All Metabase Cloud instances have been upgraded and are no longer vulnerable.
If you are self-hosted and haven’t already upgraded, please upgrade to one of the following versions (or higher) for your respective version.
Along with the fixes we’ve made, we’re working through additional improvements to reduce risk:
Patches are live across all affected versions, and we have no evidence this vulnerability was exploited before the fix landed. We’re tightening template evaluation, locking down credential access paths, and improving logging to catch unusual behavior early.
If you’re self-hosted and haven’t upgraded already, please upgrade as soon as possible.
Hat tip to Sho Odagiri from GMO Cybersecurity by Ierae, Inc for discovering and disclosing this vulnerability.
Reach out at support@metabase.com.