Additional critical Metabase security vulnerabilities announced today
metabase.comMetabase announced a patch release for a critical vulnerability a little over a week ago: https://www.metabase.com/blog/security-advisory
Today they have announced further, related vulnerabilities, and if you're running your own instance you should patch again, or disable your instance until you have a chance to do so.
The vulnerabilities allow an unauthenticated attacker to run arbitrary commands with the same privileges as the Metabase server on the server you are running Metabase on. This would allow arbitrary querying of any database that Metabase is connected to.
Very important! Another update