oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-55675: Apache Superset: Incorrect datasource authorization on REST API

From: Daniel Gaspar <dpgaspar () apache org>
Date: Thu, 14 Aug 2025 11:43:28 +0000
Severity: 

Affected versions:

- Apache Superset before 5.0.0

Description:

Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization 
check allows an authenticated user to discover metadata about datasources they do not have permission to access. By 
iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of 
protected datasources, leading to sensitive information disclosure.

This issue affects Apache Superset: before 5.0.0.

Users are recommended to upgrade to version 5.0.0, which fixes the issue.

Credit:

Daniel Höxtermann / hxtmdev (remediation developer)
Pedro Sousa (coordinator)

References:

https://www.cve.org/CVERecord?id=CVE-2025-55675
Previous By Date Next
Previous By Thread Next

Current thread: