Apache Superset: Incorrect datasource authorization on explore REST API
Description
An authenticated user could potentially access metadata for a datasource they are not authorized to view by submitting a targeted REST API request.This issue affects Apache Superset: before 3.1.2.
Users are recommended to upgrade to version 3.1.2 or above, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated user can access unauthorized datasource metadata via a REST API request in Apache Superset before 3.1.2.
Vulnerability
Overview
CVE-2024-28148 is an authorization bypass vulnerability in Apache Superset's REST API. The root cause is insufficient access control checks on specific API endpoints, allowing an authenticated user to retrieve metadata for a datasource they are not authorized to view [1].
Exploitation
An attacker must be an authenticated user of Apache Superset. By crafting a targeted REST API request, they can bypass the intended access restrictions and obtain metadata such as table names, column details, and other schema information for a restricted datasource. No additional privileges beyond authentication are required [1].
Impact
Successful exploitation leads to unauthorized disclosure of datasource metadata. This could expose sensitive database schema details, potentially aiding further attacks or leaking business-critical information about data structures [1].
Mitigation
The vulnerability is fixed in Apache Superset version 3.1.2. Users are recommended to upgrade to this version or later. No workarounds have been provided [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-supersetPyPI | < 3.1.2 | 3.1.2 |
Affected products
3- osv-coords2 versions
< 4.1.1+ 1 more
- (no CPE)range: < 4.1.1
- (no CPE)range: < 3.1.2
- Apache Software Foundation/Apache Supersetv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-299q-3p96-5898ghsaADVISORY
- lists.apache.org/thread/n27wlbd05oc6bgjh28d5pxzsrrph8dgoghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-28148ghsaADVISORY
News mentions
0No linked articles in our index yet.