Apache Superset: Lack of rate limiting allows for possible denial of service
Description
An authenticated malicious user could initiate multiple concurrent requests, each requesting multiple dashboard exports, leading to a possible denial of service.
This issue affects Apache Superset: before 3.0.0
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users can cause denial of service in Apache Superset before 3.0.0 by launching multiple concurrent dashboard export requests without rate limiting.
Vulnerability
Description
Apache Superset versions before 3.0.0 lack rate limiting on the dashboard export endpoint [1][3]. An authenticated user can initiate multiple concurrent requests, each requesting multiple dashboard exports, overwhelming server resources. This is a resource exhaustion vulnerability that can lead to denial of service [1][3].
Attack
Vector
An attacker must have valid authentication credentials to Superset [1]. From there, they can craft multiple simultaneous HTTP requests to the dashboard export functionality. The absence of rate limiting allows an attacker to generate a high volume of export jobs, consuming server CPU, memory, and I/O capacity without restriction [3].
Impact
Successful exploitation causes excessive resource consumption, making the Superset instance unresponsive to legitimate users. This constitutes a denial of service, impacting availability of the data visualization platform [1][3].
Mitigation
The vulnerability is fixed in Apache Superset version 3.0.0 [1][3]. Users should upgrade to this release or later. No workarounds are documented in the advisory.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-supersetPyPI | < 3.0.0 | 3.0.0 |
Affected products
3- osv-coords2 versions
< 3.0.0+ 1 more
- (no CPE)range: < 3.0.0
- (no CPE)range: < 3.0.0
- Apache Software Foundation/Apache Supersetv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-3hp7-4qq4-v5c6ghsaADVISORY
- lists.apache.org/thread/yzq5gk1y9lyw6nxwd3xdkxg1djqw1h6lghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-42504ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/11/28/6ghsaWEB
News mentions
0No linked articles in our index yet.