Apache Superset: Dashboard metadata information leak
Description
Apache Superset when DASHBOARD_CACHE feature flag enabled allows unauthenticated access to dashboard configuration metadata via REST API, affecting versions before 1.5.2 and 2.0.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Superset when DASHBOARD_CACHE feature flag enabled allows unauthenticated access to dashboard configuration metadata via REST API, affecting versions before 1.5.2 and 2.0.0.
CVE-2022-45438 affects Apache Superset when the DASHBOARD_CACHE feature flag is explicitly enabled (disabled by default). The vulnerability allows an unauthenticated attacker to access dashboard configuration metadata through a REST API GET endpoint. This issue is present in Superset versions 1.5.2 and prior, as well as version 2.0.0 [1].
The attack does not require authentication, only that the DASHBOARD_CACHE flag is active. The REST API endpoint exposes sensitive metadata about dashboard configurations, which could include information about the structure and settings of dashboards [2].
Exploitation could lead to information disclosure, where an attacker gains insight into dashboard designs, data sources, or user-configured parameters. This information could be used for further attacks or to understand the system's configuration.
As of the advisory, it is recommended to ensure the DASHBOARD_CACHE feature flag is not enabled unless necessary. Users should upgrade to a patched version if available. The issue highlights the importance of careful feature flag management and authentication checks for REST APIs.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-supersetPyPI | <= 1.5.2 | — |
Affected products
3- osv-coords2 versions
< 1.5.3+ 1 more
- (no CPE)range: < 1.5.3
- (no CPE)range: <= 1.5.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-8f5j-mgx9-5hm5ghsaADVISORY
- lists.apache.org/thread/snxbkf2x9kww7s0wkmydct9nhqqn9rv9ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2022-45438ghsaADVISORY
News mentions
0No linked articles in our index yet.