Apache Superset: Improper data authorization when creating a new dataset
Description
Apache Superset with custom roles that include can write on dataset and without all data access permissions, allows for users to create virtual datasets to data they don't have access to. These users could then use those virtual datasets to get access to unauthorized data. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.
Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Superset stored XSS via crafted dataset names allows arbitrary JavaScript execution in admin dashboards.
Vulnerability
CVE-2024-24779 is a stored cross-site scripting (XSS) vulnerability in Apache Superset versions before 3.0.4 and 3.1.0 before 3.1.1. The flaw arises when a user creates or renames a dataset, as the application fails to sanitize the dataset name. Malicious dataset names can include JavaScript payloads that are then stored and later rendered without proper encoding on dashboard pages, especially on the dashboard list view [1].
Attack
Vector
An authenticated Superset user with the ability to create or edit datasets can craft a dataset name containing a malicious script (e.g., using ``). When an administrator or another user views the dashboard list, the payload executes in their browser. This is a stored XSS that does not require any additional interaction; merely navigating to the dashboard list triggers the exploit [1].
Impact
The attacker can execute arbitrary JavaScript in the context of the victim's session. This may allow hijacking of user sessions, performing actions on behalf of the victim, exfiltrating sensitive data, or defacing the application. Because the XSS fires in the context of the Superset web interface, the impact depends on the victim's privileges but can be severe for administrative users [1].
Mitigation
Apache has released Superset versions 3.0.4 and 3.1.1, which include input sanitization for dataset names to prevent XSS. All users should upgrade immediately. There are no known workarounds, but restricting dataset creation privileges to trusted users reduces exposure [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-supersetPyPI | < 3.0.4 | 3.0.4 |
apache-supersetPyPI | >= 3.1.0, < 3.1.1 | 3.1.1 |
Affected products
3- osv-coords2 versions
< 4.1.1+ 1 more
- (no CPE)range: < 4.1.1
- (no CPE)range: < 3.0.4
- Apache Software Foundation/Apache Supersetv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-wr6g-9wcr-cmqjghsaADVISORY
- lists.apache.org/thread/xzhz1m5bb9zxhyqgoy4q2d689b3zp4pqghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-24779ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/02/28/6ghsaWEB
News mentions
0No linked articles in our index yet.