In July 2023, Metabase experienced a severe security vulnerability, marking the most significant in the project's history, centered around the H2 database used in its systems. This vulnerability allowed unauthorized remote code execution, a serious threat that could compromise user data and server integrity. After being informed by an external researcher, Metabase implemented a phased plan to address the issue: first, by patching the vulnerability for their cloud customers and offering a source patch under NDA to custom fork customers, followed by a public release without source code. Despite these efforts, multiple vulnerabilities were identified, some without prior notice to Metabase, prompting accelerated public disclosures and further patches. The company also removed H2 as a supported database to mitigate risks. Throughout this process, Metabase communicated with its community via social media and blog updates, emphasizing the urgency of upgrading to mitigate potential exploits, which included unauthorized access and misuse of servers for activities like cryptocurrency mining and DDoS attacks. The company continues to monitor and strengthen its security protocols in response to this incident.