CVE-2022-39362 - How Metabase Auto-Executed Unsaved SQL Queries & Why It Mattered

Metabase is a popular open-source platform for data visualization and analytics. A lot of businesses and organizations use it so that employees can make sense of company data, build dashboards, and create custom reports without needing to be SQL experts. But sometimes popular software can have hidden issues. One such bug was found in Metabase and tracked as CVE-2022-39362. In this article, we’ll break down what happened, why it’s important, and show you how someone could exploit it (with safe, educational code).

What Was the Issue in Metabase?

In Metabase versions before .44.5, 1.44.5, .43.7, 1.43.7, .42.6, 1.42.6, .41.9, and 1.41.9, there’s a feature that auto-executes any SQL query written in the editor—even if the user hasn’t clicked the “run” button or saved the query.

Why is auto-executing unsaved queries a problem?

Normally, software waits for a user to take action—like pressing “Run” or “Submit”—before running code. But here, just typing or pasting a SQL command in the native query editor would cause Metabase to *immediately* execute it against the connected database. In the worst scenario, if a user unknowingly pasted a dangerous query, it could cause harm to the database, revealing or deleting sensitive data.

Before hitting “Run,” Metabase auto-executes the query.

4. If the query is malicious (for example, running DROP TABLE users;), the database could be damaged right away, all without the user ever clicking anything.

Example "Bad" SQL

-- This is just an example. Don't use this for real.
DROP TABLE users;

Pasting that into certain versions of Metabase could have wiped out your users table instantly.

A simplified piece of (pseudo) code shows what was happening inside Metabase

function onEditorInput(sqlQuery) {
  // ...other logic...
  
  // BAD: Automatically runs the query when you change it
  autoExecuteQuery(sqlQuery);
}

Whenever the input changes—typing, pasting, whatever—the software runs the query. That's what's unsafe.

References and Original Reports

- GitHub Security Advisory: CVE-2022-39362
- National Vulnerability Database (NVD) Entry
- Metabase Changelog (.44.5)

Here’s a pseudo code snippet that shows the difference

function onEditorInput(sqlQuery) {
  // Only display the query, don't run yet
  displayQueryPreview(sqlQuery);
}

// Now, the query executes ONLY when the user clicks 'Run'
function onRunButtonClick(sqlQuery) {
  autoExecuteQuery(sqlQuery); // This is now manual
}

What Should You Do?

- Upgrade ASAP: Make sure you are running at least one of the fixed versions: .44.5, 1.44.5, .43.7, 1.43.7, .42.6, 1.42.6, .41.9, or 1.41.9.
- Remind Users: Never paste unfamiliar SQL into the query editor. Even with the fix, this is good practice.
- Review Database Permissions: Limit the connected user's ability to perform destructive actions (e.g., avoid using a superuser account).

Closing Thoughts

This bug in Metabase reminds us that sometimes a “helpful” feature can backfire, especially when it comes to something as powerful as SQL databases. If you’re a Metabase user, upgrading is a must. Stay safe, stay patched, and always review what you’re running—whether the computer does it for you or not.


*This article was written exclusively for educational reasons. Do not attempt to exploit real systems. For more info, check out the CVE-2022-39362 page and the official Metabase release notes.*

Timeline

Published on: 10/26/2022 19:15:00 UTC
Last modified on: 10/28/2022 16:45:00 UTC