Apache Superset: Lower privilege users are able to create Role when FAB_ADD_SECURITY_API is enabled
Description
Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege users to use this API.
issue affects Apache Superset: from 2.0.0 before 4.1.0.
Users are recommended to upgrade to version 4.1.0, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Apache Superset 2.0.0 to before 4.1.0, when FAB_ADD_SECURITY_API is enabled (disabled by default), lower privilege users can improperly access the security API.
CVE-2024-53949 is an improper authorization vulnerability in Apache Superset that affects versions 2.0.0 through before 4.1.0 [1]. The vulnerability specifically impacts the security API (FAB_ADD_SECURITY_API), which is disabled by default but can be enabled by administrators [1][4]. The root cause is a missing or insufficient authorization check that allows lower privilege users, such as Gamma role users, to interact with this API endpoint [3].
Exploitation occurs when a user with a limited role (e.g., Gamma) sends HTTP requests to the security API endpoints, such as api/v1/security/roles/ [3]. The commit fixing the issue includes test cases demonstrating that while an admin user can successfully get, create, and update roles, a Gamma user should receive a 403 Forbidden response for POST and PUT operations, and a 403 for GET as well [3]. This indicates the API was not properly restricting access based on user privileges.
The impact is that an authenticated lower privilege user can potentially create, read, update, or delete roles within Apache Superset [1][4]. Since roles govern permissions, this could lead to privilege escalation, where the attacker grants themselves or others higher privileges, potentially compromising the entire Superset instance and the data it accesses.
The fix is included in Apache Superset version 4.1.0 [1][4]. Users running versions 2.0.0 through 4.0.x are advised to upgrade to 4.1.0 to mitigate the issue. As the feature is disabled by default, administrators who have not enabled FAB_ADD_SECURITY_API are not exposed to this vulnerability.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-supersetPyPI | >= 2.0.0, < 4.1.0 | 4.1.0 |
Affected products
4- osv-coords2 versions
>= 2.0.0, < 4.1.1+ 1 more
- (no CPE)range: >= 2.0.0, < 4.1.1
- (no CPE)range: >= 2.0.0, < 4.1.0
- Apache Software Foundation/Apache Supersetv5Range: 2.0.0
Patches
17650c47e72f2fix: Gamma users shouldn't be able to create roles (#29687)
3 files changed · +70 −0
superset/security/manager.py+6 −0 modified@@ -238,6 +238,12 @@ class SupersetSecurityManager( # pylint: disable=too-many-public-methods "SQL Lab", "User Registrations", "User's Statistics", + # Guarding all AB_ADD_SECURITY_API = True REST APIs + "Role", + "Permission", + "PermissionViewMenu", + "ViewMenu", + "User", } | USER_MODEL_VIEWS ALPHA_ONLY_VIEW_MENUS = {
tests/integration_tests/security/api_tests.py+62 −0 modified@@ -26,6 +26,7 @@ from superset.models.dashboard import Dashboard from superset.utils.urls import get_url_host from superset.utils import json +from tests.integration_tests.conftest import with_config from tests.integration_tests.base_tests import SupersetTestCase from tests.integration_tests.constants import ADMIN_USERNAME, GAMMA_USERNAME from tests.integration_tests.fixtures.birth_names_dashboard import ( @@ -135,3 +136,64 @@ def test_post_guest_token_bad_resources(self): ) self.assert400(response) + + +class TestSecurityRolesApi(SupersetTestCase): + uri = "api/v1/security/roles/" # noqa: F541 + + @with_config({"FAB_ADD_SECURITY_API": True}) + def test_get_security_roles_admin(self): + """ + Security API: Admin should be able to get roles + """ + self.login(ADMIN_USERNAME) + response = self.client.get(self.uri) + self.assert200(response) + + @with_config({"FAB_ADD_SECURITY_API": True}) + def test_get_security_roles_gamma(self): + """ + Security API: Gamma should not be able to get roles + """ + self.login(GAMMA_USERNAME) + response = self.client.get(self.uri) + self.assert403(response) + + @with_config({"FAB_ADD_SECURITY_API": True}) + def test_post_security_roles_gamma(self): + """ + Security API: Gamma should not be able to create roles + """ + self.login(GAMMA_USERNAME) + response = self.client.post( + self.uri, + data=json.dumps({"name": "new_role"}), + content_type="application/json", + ) + self.assert403(response) + + @with_config({"FAB_ADD_SECURITY_API": True}) + def test_put_security_roles_gamma(self): + """ + Security API: Gamma shouldnt be able to update roles + """ + self.login(GAMMA_USERNAME) + response = self.client.put( + f"{self.uri}1", + data=json.dumps({"name": "new_role"}), + content_type="application/json", + ) + self.assert403(response) + + @with_config({"FAB_ADD_SECURITY_API": True}) + def test_delete_security_roles_gamma(self): + """ + Security API: Gamma shouldnt be able to delete roles + """ + self.login(GAMMA_USERNAME) + response = self.client.delete( + f"{self.uri}1", + data=json.dumps({"name": "new_role"}), + content_type="application/json", + ) + self.assert403(response)
tests/integration_tests/superset_test_config.py+2 −0 modified@@ -137,6 +137,8 @@ def GET_FEATURE_FLAGS_FUNC(ff): ALERT_REPORTS_QUERY_EXECUTION_MAX_TRIES = 3 +FAB_ADD_SECURITY_API = True + class CeleryConfig: broker_url = f"redis://{REDIS_HOST}:{REDIS_PORT}/{REDIS_CELERY_DB}"
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-35fc-9hrj-3585ghsaADVISORY
- lists.apache.org/thread/d3scbwmfpzbpm6npnzdw5y4owtqqyq8dghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-53949ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/12/09/4ghsaWEB
- github.com/apache/superset/commit/7650c47e72f28559e91524f5d68d50c2060df4c7ghsaWEB
News mentions
0No linked articles in our index yet.