The vulnerability existed in the /api/setup/validate API endpoint, which served as a crucial part of Metabase’s initial setup process. During application setup, this endpoint was responsible for checking the database connection. However, attackers could exploit a flaw in the JDBC connection handling, leading to remote code execution (RCE) with pre-authentication. This meant that attackers could execute malicious commands on the server with elevated privileges, gaining full control over the application environment. With this level of access, an attacker could potentially steal sensitive data, manipulate the application, or even gain control of the entire server infrastructure.