diff --git a/.appsec-tests/vpatch-CVE-2023-38646/CVE-2023-38646.yaml b/.appsec-tests/vpatch-CVE-2023-38646/CVE-2023-38646.yaml
new file mode 100644
index 00000000000..242eac3cf0f
--- /dev/null
+++ b/.appsec-tests/vpatch-CVE-2023-38646/CVE-2023-38646.yaml
@@ -0,0 +1,33 @@
+## autogenerated on 2026-04-08 13:22:20
+id: CVE-2023-38646
+info:
+  name: CVE-2023-38646
+  author: crowdsec
+  severity: info
+  description: CVE-2023-38646 testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        POST /api/setup/validate HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {
+           "token":"testtoken",
+           "details":{
+              "details":{
+                 "subprotocol":"h2",
+                 "classname":"org.h2.Driver",
+                 "advanced-options":true,
+                 "subname":"mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM './plugins/vertica.metabase-driver.jar'//\\;"
+              },
+              "name":"testdb",
+              "engine":"postgres"
+           }
+        }
+    cookie-reuse: true
+    matchers:
+    - type: status
+      status:
+       - 403
diff --git a/.appsec-tests/vpatch-CVE-2023-38646/config.yaml b/.appsec-tests/vpatch-CVE-2023-38646/config.yaml
new file mode 100644
index 00000000000..b3dc299e0ce
--- /dev/null
+++ b/.appsec-tests/vpatch-CVE-2023-38646/config.yaml
@@ -0,0 +1,5 @@
+## autogenerated on 2026-04-08 13:22:20
+appsec-rules:
+  - ./appsec-rules/crowdsecurity/base-config.yaml
+  - ./appsec-rules/crowdsecurity/vpatch-CVE-2023-38646.yaml
+nuclei_template: CVE-2023-38646.yaml
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2023-38646.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2023-38646.yaml
new file mode 100644
index 00000000000..6d44cc3d0e0
--- /dev/null
+++ b/appsec-rules/crowdsecurity/vpatch-CVE-2023-38646.yaml
@@ -0,0 +1,31 @@
+## autogenerated on 2026-04-08 13:22:20
+name: crowdsecurity/vpatch-CVE-2023-38646
+description: 'Detects Metabase pre-auth RCE via malicious H2 subname in setup validation.'
+rules:
+  - and:
+      - zones:
+          - URI
+        transform:
+          - lowercase
+        match:
+          type: equals
+          value: /api/setup/validate
+      - zones:
+          - RAW_BODY
+        transform:
+          - lowercase
+        match:
+          type: contains
+          value: 'trace_level_system_out=3;init=runscript'
+
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: 'http:exploit'
+  label: 'Metabase - RCE'
+  classification:
+    - cve.CVE-2023-38646
+    - attack.T1190
+    - cwe.CWE-94
diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml
index 7ccf9a8bf03..dc081b5eceb 100644
--- a/collections/crowdsecurity/appsec-virtual-patching.yaml
+++ b/collections/crowdsecurity/appsec-virtual-patching.yaml
@@ -7,6 +7,7 @@ appsec-rules:
 - crowdsecurity/vpatch-CVE-2023-40044
 - crowdsecurity/vpatch-CVE-2017-9841
 - crowdsecurity/vpatch-CVE-2020-11738
+- crowdsecurity/vpatch-CVE-2023-38646
 - crowdsecurity/vpatch-CVE-2022-27926
 - crowdsecurity/vpatch-CVE-2022-35914
 - crowdsecurity/vpatch-CVE-2022-46169