We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
SSO users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP.
The following patches (or greater versions) are available:
All releases are available on https://github.com/metabase/metabase/releases.
Metabase now blocks password reset for all users who use SSO for their Metabase login.
Impact
SSO users were able to do password resets on Metabase, which could allow a user access without going through the SSO IdP.
Patches
The following patches (or greater versions) are available:
All releases are available on https://github.com/metabase/metabase/releases.
Mitigation
Metabase now blocks password reset for all users who use SSO for their Metabase login.