VYPR
High severityCISA KEVNVD Advisory· Published Apr 24, 2023· Updated Oct 21, 2025

Apache Superset: Session validation vulnerability when using provided default SECRET_KEY

CVE-2023-27524

Description

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.

All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your superset_config.py file like:

SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY>

Alternatively you can set it with SUPERSET_SECRET_KEY environment variable.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
apache-supersetPyPI
< 2.1.02.1.0

Affected products

3

Patches

Vulnerability mechanics

References

9

News mentions

0

No linked articles in our index yet.