Unrated severityNVD Advisory· Published Oct 26, 2022· Updated Apr 23, 2025

Metabase SSO users able to circumvent IdP login by doing password reset

CVE-2022-39360

Description

Metabase is data visualization software. Prior to versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9 single sign on (SSO) users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP. This issue is patched in versions 0.44.5, 1.44.5, 0.43.7, 1.43.7, 0.42.6, 1.42.6, 0.41.9, and 1.41.9. Metabase now blocks password reset for all users who use SSO for their Metabase login.

Affected products

Metabase/Metabasev5
Range: < 0.41.9

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/metabase/metabase/commit/edadf7303c3b068609f57ca073e67885d5c98730mitre
github.com/metabase/metabase/security/advisories/GHSA-gw4g-ww2m-v7vcmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000