Headline
GHSA-mhpq-m962-mg92: Apache Superset allows authenticated users to discover metadata about datasources they don't have permission to access
Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to sensitive information disclosure.
This issue affects Apache Superset: before 5.0.0.
Users are recommended to upgrade to version 5.0.0, which fixes the issue.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-55675
Apache Superset allows authenticated users to discover metadata about datasources they don’t have permission to access
Moderate severity GitHub Reviewed Published Aug 14, 2025 to the GitHub Advisory Database • Updated Aug 14, 2025
Package
pip apache-superset (pip)
Affected versions
< 5.0.0
Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to sensitive information disclosure.
This issue affects Apache Superset: before 5.0.0.
Users are recommended to upgrade to version 5.0.0, which fixes the issue.
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-55675
- https://lists.apache.org/thread/op681b4kbd7g84tfjf9omz0sxggbcv33
Published to the GitHub Advisory Database
Aug 14, 2025
Last updated
Aug 14, 2025