VYPR
← All advisories
High severityCISA KEVNVD Advisory· Published Apr 24, 2023· Updated Oct 21, 2025

Apache Superset: Session validation vulnerability when using provided default SECRET_KEY

CVE-2023-27524

Description

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.

All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your superset_config.py file like:

SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY>

Alternatively you can set it with SUPERSET_SECRET_KEY environment variable.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
apache-supersetPyPI
< 2.1.02.1.0

Affected products

1
  • Apache Software Foundation/Apache Supersetv5
    Range: 0

Patches

1
b180319bbf08

fix: refuse to start with default secret on non debug envs (#23186)

https://github.com/apache/supersetDaniel Vaz GasparMar 1, 2023via ghsa
commit
5 files changed · +23 5
  • docker/.env-non-dev+1 0 modified
    @@ -42,6 +42,7 @@ REDIS_PORT=6379
 FLASK_ENV=production
 SUPERSET_ENV=production
 SUPERSET_LOAD_EXAMPLES=yes
+SUPERSET_SECRET_KEY=TEST_NON_DEV_SECRET
 CYPRESS_CONFIG=false
 SUPERSET_PORT=8088
 MAPBOX_API_KEY=''
  • docs/docs/installation/configuring-superset.mdx+2 2 modified
    @@ -23,8 +23,8 @@ SUPERSET_WEBSERVER_PORT = 8088
 # Your App secret key will be used for securely signing the session cookie
 # and encrypting sensitive information on the database
 # Make sure you are changing this key for your deployment with a strong key.
-# You can generate a strong key using `openssl rand -base64 42`
-
+# You can generate a strong key using `openssl rand -base64 42`.
+# Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.
 SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
 
 # The SQLAlchemy connection string to your database backend
  • superset/config.py+3 2 modified
    @@ -188,10 +188,11 @@ def _try_json_readsha(filepath: str, length: int) -> Optional[str]:
 SQLALCHEMY_TRACK_MODIFICATIONS = False
 # ---------------------------------------------------------
 
-# Your App secret key. Make sure you override it on superset_config.py.
+# Your App secret key. Make sure you override it on superset_config.py
+# or use `SUPERSET_SECRET_KEY` environment variable.
 # Use a strong complex alphanumeric string and use a tool to help you generate
 # a sufficiently random sequence, ex: openssl rand -base64 42"
-SECRET_KEY = CHANGE_ME_SECRET_KEY
+SECRET_KEY = os.environ.get("SUPERSET_SECRET_KEY") or CHANGE_ME_SECRET_KEY
 
 # The SQLAlchemy connection string.
 SQLALCHEMY_DATABASE_URI = "sqlite:///" + os.path.join(DATA_DIR, "superset.db")
  • superset/initialization/__init__.py+16 1 modified
    @@ -18,6 +18,7 @@
 
 import logging
 import os
+import sys
 from typing import Any, Callable, Dict, TYPE_CHECKING
 
 import wtforms_json
@@ -458,7 +459,7 @@ def init_app_in_ctx(self) -> None:
         self.init_views()
 
     def check_secret_key(self) -> None:
-        if self.config["SECRET_KEY"] == CHANGE_ME_SECRET_KEY:
+        def log_default_secret_key_warning() -> None:
             top_banner = 80 * "-" + "\n" + 36 * " " + "WARNING\n" + 80 * "-"
             bottom_banner = 80 * "-" + "\n" + 80 * "-"
             logger.warning(top_banner)
@@ -471,6 +472,20 @@ def check_secret_key(self) -> None:
             )
             logger.warning(bottom_banner)
 
+        if self.config["SECRET_KEY"] == CHANGE_ME_SECRET_KEY:
+            if (
+                self.superset_app.debug
+                or self.superset_app.config["TESTING"]
+                # There must be a better way
+                or "pytest" in sys.modules
+            ):
+                logger.warning("Debug mode identified with default secret key")
+                log_default_secret_key_warning()
+                return
+            log_default_secret_key_warning()
+            logger.error("Refusing to start due to insecure SECRET_KEY")
+            sys.exit(1)
+
     def init_app(self) -> None:
         """
         Main entry point which will delegate to other methods in
  • UPDATING.md+1 0 modified
    @@ -24,6 +24,7 @@ assists people when migrating to a new version.
 
 ## Next
 
+- [23186](https://github.com/apache/superset/pull/23186): Superset will refuse to start if a default `SECRET_KEY` is detected on a non Flask debug setting.
 - [22022](https://github.com/apache/superset/pull/22022): HTTP API endpoints `/superset/approve` and `/superset/request_access` have been deprecated and their HTTP methods were changed from GET to POST
 - [20606](https://github.com/apache/superset/pull/20606): When user clicks on chart title or "Edit chart" button in Dashboard page, Explore opens in the same tab. Clicking while holding cmd/ctrl opens Explore in a new tab. To bring back the old behaviour (always opening Explore in a new tab), flip feature flag `DASHBOARD_EDIT_CHART_IN_NEW_TAB` to `True`.
 - [20799](https://github.com/apache/superset/pull/20799): Presto and Trino engine will now display tracking URL for running queries in SQL Lab. If for some reason you don't want to show the tracking URL (for example, when your data warehouse hasn't enabled access for to Presto or Trino UI), update `TRACKING_URL_TRANSFORMER` in `config.py` to return `None`.

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.