Learning more about Metabase Pre-auth RCE (CVE-2023–38646)

Gupta Bless
2 min readNov 19, 2023


In the realm of cybersecurity, Common Vulnerabilities and Exposures (CVE) play a pivotal role in identifying and addressing potential threats. The practice of publicly disclosing vulnerabilities has become a standard procedure, regardless of whether they pertain to hardware or software. The severity of each CVE is gauged by the Common Vulnerability Scoring System (CVSS) score, providing a standardized way to assess and prioritize security weaknesses.

Understanding Metabase Pre-Auth RCE

CVE 2023–38646 highlights a remote code execution vulnerability present in a specific version of Metabase. Metabase, an open-source program, empowers users to create visual representations of data from various databases. This flaw impacts all versions of the open-source software released before and enterprise software released before

Root Cause Analysis

The vulnerability stems from a lapse in security practices during the Metabase setup. Despite the requirement for a setup token during installation, this token isn’t cleared after the process completion. This oversight enables malicious actors to potentially steal the token, impersonate legitimate users, and issue commands directly through…