Vulnerability detail
Enriched intelligence for a single CVE
Critical
CVE-2023-38646
PUBLISHEDMetabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the...
- Vendor
- Metabase
- Product
- Metabase
- Published
- Jul 21, 2023
- EPSS
- —
Description
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
CVSS scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
- https://www.metabase.com/blog/security-advisory
- https://github.com/metabase/metabase/releases/tag/v0.46.6.1
- https://news.ycombinator.com/item?id=36812256
- https://github.com/metabase/metabase/issues/32552
- http://packetstormsecurity.com/files/174091/Metabase-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/177138/Metabase-0.46.6-Remote-Code-Execution.html
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| The Shadowserver (via CIRCL) | Apr 28, 2025 |
Scanner integrations
| Scanner | Reference | Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/metabase_setup_token_rce.rb | Apr 28, 2025 |
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-38646.yaml | Apr 25, 2025 |
Potential proof of concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2024-03-04 23:01:43 UTC · 0 stars
CVE-2023-38646 Metabase 0.46.6 exploit
github · Created 2023-11-07 03:57:15 UTC · 0 stars
Metabase Pre-Auth RCE POC
github · Created 2023-10-26 10:37:23 UTC · 0 stars
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
github · Created 2023-10-25 17:10:53 UTC · 2 stars
Python script to exploit CVE-2023-38646 Metabase Pre-Auth RCE via SQL injection
github · Created 2023-10-20 15:21:08 UTC · 0 stars
RCE Exploit for CVE-2023-38646
github · Created 2023-10-15 01:29:37 UTC · 8 stars
Exploit script for Pre-Auth RCE in Metabase (CVE-2023-38646)
github · Created 2023-10-12 02:24:12 UTC · 0 stars
github · Created 2023-10-11 20:17:14 UTC · 3 stars
CVE-2023-38646 Unauthenticated RCE vulnerability in Metabase
github · Created 2023-10-08 07:36:57 UTC · 0 stars
github · Created 2023-08-19 11:47:08 UTC · 8 stars
Metabase Pre-auth RCE (CVE-2023-38646)
github · Created 2023-08-09 14:05:24 UTC · 27 stars
Automatic Tools For Metabase Exploit Known As CVE-2023-38646
github · Created 2023-07-31 11:18:21 UTC · 1 stars
Proof of Concept for CVE-2023-38646
github · Created 2023-07-30 09:56:52 UTC · 20 stars
POC for CVE-2023-38646
github · Created 2023-07-30 09:33:28 UTC · 2 stars
github · Created 2023-07-30 01:12:24 UTC · 3 stars
Remote Code Execution on Metabase CVE-2023-38646
github · Created 2023-07-29 13:07:00 UTC · 15 stars
Metabase Pre-auth RCE (CVE-2023-38646)!!
github · Created 2023-07-28 11:43:06 UTC · 6 stars
For educational purposes only
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Proof of Concept Exploit Available
-
Detected by Nuclei
-
Added to KEVIntel
-
Detected by Metasploit