oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-55673: Apache Superset: Metadata exposure in embedded charts

From: Daniel Gaspar <dpgaspar () apache org>
Date: Thu, 14 Aug 2025 11:33:43 +0000
Severity: 

Affected versions:

- Apache Superset before 4.1.3

Description:

When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query 
field in its payload. This field contains the underlying query, which improperly discloses database schema information, 
such as table names, to the low-privileged guest user.

This issue affects Apache Superset: before 4.1.3.

Users are recommended to upgrade to version 4.1.3, which fixes the issue.

Credit:

Pedro Sousa (coordinator)
Daniel Gaspar (remediation developer)

References:

https://www.cve.org/CVERecord?id=CVE-2025-55673
Previous By Date Next
Previous By Thread Next

Current thread: