Description
A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabled by default) allows users to retrieve a list of objects associated with a specific tag.
When these associated objects include Users, the API response improperly serializes and returns sensitive fields, including password hashes (pbkdf2), email addresses, and login statistics. This vulnerability allows authenticated users with low privileges (e.g., Gamma role) to view sensitive authentication data

This issue affects Apache Superset: before 6.0.0.

Users are recommended to upgrade to version 6.0.0, which fixes the issue or make sure TAGGING_SYSTEM is False (Apache Superset current default)
Published: 2026-02-24
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Patch
AI Analysis

Impact

A vulnerability in Apache Superset’s Tag endpoint allows authenticated users, even those with low‑privilege roles such as Gamma, to retrieve sensitive authentication data. When the endpoint returns objects that include Users, the API response serializes password hashes (pbkdf2), email addresses, and login statistics. This exposure is a classic data‑confidentiality breach, identified as CWE‑200.

Affected Systems

The affected product is Apache Superset, versions prior to 6.0.0. Users operating those versions with the Tag feature enabled—though disabled by default—are vulnerable to exposure of sensitive user information.

Risk and Exploitability

The CVSS score is 2.3, indicating low severity, and the EPSS score is under 1%, suggesting a minimal exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers need only authenticated access with a role such as Gamma; they can invoke the Tag REST API to pull the privileged data. No remote code execution or privilege escalation is required, but the data compromise could facilitate credential‑replay attacks or insider data leaks.

Generated by OpenCVE AI on April 17, 2026 at 15:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Apache Superset 6.0.0 or later to remove the vulnerability.
  • Configure TAGGING_SYSTEM=False if the tagging feature is not required, keeping it disabled by default.
  • Restrict Gamma and other low‑privilege roles from accessing the Tag REST API or remove their ability to call GET /tags endpoints.

Generated by OpenCVE AI on April 17, 2026 at 15:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h294-8fxm-m2pj Apache Superset allows authenticated users to view sensitive data without explicit permissions
History

Wed, 25 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache superset
Vendors & Products Apache
Apache superset

Tue, 24 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 24 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
Description A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabled by default) allows users to retrieve a list of objects associated with a specific tag. When these associated objects include Users, the API response improperly serializes and returns sensitive fields, including password hashes (pbkdf2), email addresses, and login statistics. This vulnerability allows authenticated users with low privileges (e.g., Gamma role) to view sensitive authentication data This issue affects Apache Superset: before 6.0.0. Users are recommended to upgrade to version 6.0.0, which fixes the issue or make sure TAGGING_SYSTEM is False (Apache Superset current default)
Title Apache Superset: Sensitive Data Exposure via REST API (disabled by default)
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Apache Superset
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-02-24T18:19:38.494Z

Reserved: 2026-01-19T17:00:45.868Z

Link: CVE-2026-23983

cve-icon Vulnrichment

Updated: 2026-02-24T18:19:38.494Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T14:16:23.143

Modified: 2026-02-25T14:37:49.577

Link: CVE-2026-23983

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:00:11Z

Weaknesses