Apache Superset: Improper authorization validation on dashboards and charts import
Description
A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it's important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges.
This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated low-privilege users in Apache Superset can import dashboards/charts they lack access to and gain ownership via metadata modification.
Vulnerability
Description
Apache Superset's import functionality for dashboards and charts lacks proper authorization checks. A low-privilege authenticated user can import an existing dashboard or chart that they do not have access to, and then modify its metadata to gain ownership of the object [1][3].
Exploitation
The attack requires only a low-privilege account with access to the import feature. The attacker imports an object they cannot normally view, then alters metadata to assume ownership. No additional authentication or network position is needed [1][3].
Impact
Gaining ownership allows the attacker to manage the object, but access to the underlying analytical data remains restricted by existing data access privileges [1]. This represents a partial privilege escalation within the application.
Mitigation
The issue affects Apache Superset versions before 3.0.4 and 3.1.0 before 3.1.1. Users should upgrade to version 3.1.1, which includes the fix [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-supersetPyPI | < 3.0.4 | 3.0.4 |
apache-supersetPyPI | >= 3.1.0, < 3.1.1 | 3.1.1 |
Affected products
3- osv-coords2 versions
< 4.1.1+ 1 more
- (no CPE)range: < 4.1.1
- (no CPE)range: < 3.0.4
- Apache Software Foundation/Apache Supersetv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-3v9r-885j-762gghsaADVISORY
- lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8sghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-26016ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/02/28/7ghsaWEB
News mentions
0No linked articles in our index yet.