Apache Superset: Metadata exposure in embedded charts
Description
When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privileged guest user.
This issue affects Apache Superset: before 4.1.3.
Users are recommended to upgrade to version 4.1.3, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Superset before 4.1.3 leaks database schema in API response to guest users via the /chart/data endpoint.
Vulnerability
Overview
CVE-2025-55673 describes an information disclosure vulnerability in Apache Superset, affecting versions prior to 4.1.3. When a guest user accesses a chart, the /chart/data API response includes a query field that contains the underlying SQL query. This exposes database schema details, such as table and column names, to low-privileged guest users [1][3].
Attack
Vector and Prerequisites
The vulnerability is exploitable by any guest user, who typically has limited permissions. The attacker does not need special authentication beyond guest access, and can trigger the disclosure by simply viewing a chart via the embedded analytics feature. The /chart/data endpoint inadvertently returns the full query in the payload, rather than only the query results [1][3].
Impact
A successful exploit allows a guest user to obtain sensitive metadata about the underlying database, including table names and column structures. This information could aid in planning further attacks, such as schema inference or targeted SQL injection, but does not directly expose row-level data [1][3].
Mitigation
Apache Software Foundation has addressed the issue in Superset version 4.1.3. Users are strongly advised to upgrade to this version or later to prevent the leakage of query metadata to unprivileged users [1][2][3]. No workarounds have been detailed.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-supersetPyPI | < 4.1.3.post1 | 4.1.3.post1 |
Affected products
2- Apache Software Foundation/Apache Supersetv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-9g5x-mm39-wg9rghsaADVISORY
- lists.apache.org/thread/h2hw756wk4sj4z49blvzkr5fntl9hlf8ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-55673ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/08/14/3ghsaWEB
News mentions
0No linked articles in our index yet.