Apache Superset: Open Redirect Vulnerability
Description
An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Host header, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset versions before 3.0.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Superset before 3.0.0 allows an authenticated attacker with dataset update permissions to perform an open redirect via Host header spoofing.
Vulnerability
Overview
CVE-2023-42502 is an open redirect vulnerability in Apache Superset versions prior to 3.0.0. The root cause is insufficient validation of the HTTP Host header when an authenticated user with update datasets permission modifies a dataset link. By spoofing the Host header, an attacker can change the dataset link to point to an arbitrary untrusted site [1][3].
Exploitation
To exploit this vulnerability, an attacker must have a valid authenticated session and possess the 'update datasets' permission. The attacker then crafts a request with a manipulated Host header, causing the dataset link to be stored with a malicious URL. When other users click on that dataset, they are redirected to the attacker-controlled site [3].
Impact
Successful exploitation results in an open redirect, which can be leveraged for phishing attacks, malware distribution, or other social engineering schemes. The redirection occurs without any warning to the user, increasing the likelihood of successful compromise [1].
Mitigation
Apache Superset version 3.0.0 and later include a fix for this issue. Users running earlier versions should upgrade to the latest release to eliminate the vulnerability. No workaround is documented [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-supersetPyPI | < 3.0.0 | 3.0.0 |
Affected products
3- osv-coords2 versions
< 3.0.0+ 1 more
- (no CPE)range: < 3.0.0
- (no CPE)range: < 3.0.0
- Apache Software Foundation/Apache Supersetv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-hc74-9vjm-c9xvghsaADVISORY
- lists.apache.org/thread/n8348f194d8o8mln3oxd0s8jdl5bxbmnghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-42502ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/11/28/3ghsaWEB
News mentions
0No linked articles in our index yet.