Vulnerability Database

309,364

Total vulnerabilities in the database

CVE-2022-39360

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on (SSO) users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase now blocks password reset for all users who use SSO for their Metabase login.

Published: Oct 26, 2022
Updated: Nov 16, 2025
CVE: CVE-2022-39360
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWEs:

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
metabase / metabase	1.42.0	1.42.6
metabase / metabase	1.43.0	1.43.7
metabase / metabase	1.44.0	1.44.5
metabase / metabase	0.42.0	0.42.6
metabase / metabase	0.43.0	0.43.7
metabase / metabase	0.44.0	0.44.5
metabase / metabase	1.41.0	1.41.9
metabase / metabase	0.41.0	0.41.9

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo