Apache Superset: Incorrect datasource authorization on REST API
Description
Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to sensitive information disclosure.
This issue affects Apache Superset: before 5.0.0.
Users are recommended to upgrade to version 5.0.0, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users in Apache Superset <5.0.0 can enumerate datasource metadata via the /explore endpoint due to missing authorization checks.
Vulnerability
Description
CVE-2025-55675 describes an improper access control vulnerability in Apache Superset's /explore endpoint. The root cause is a missing authorization check that fails to verify a user's permissions on a datasource when accessing its metadata through this REST API endpoint. This flaw affects all Superset versions prior to 5.0.0 [1][3].
Exploitation
Method
An authenticated attacker can exploit this by manually iterating through the datasource_id parameter in the URL of the /explore endpoint. No special privileges or elevated permissions are required beyond possessing a valid user account on the Superset instance. The attacker does not need any prior knowledge of protected datasources; simple brute-force iteration of numeric IDs suffices [1][3].
Impact
Successful exploitation allows the attacker to confirm the existence of datasources they should not have access to and retrieve their names. This constitutes sensitive information disclosure, as the exposure of datasource names can reveal business-sensitive or confidential data schemas. The vulnerability does not grant the attacker direct access to the underlying data in the datasource, but the leaked metadata can inform further targeted attacks [1].
Mitigation
Apache Software Foundation has fixed this issue in Apache Superset version 5.0.0. Users are strongly recommended to upgrade to this release or later. No workarounds have been publicly documented, making the upgrade the sole mitigation path [1][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-supersetPyPI | < 5.0.0 | 5.0.0 |
Affected products
2- Apache Software Foundation/Apache Supersetv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-mhpq-m962-mg92ghsaADVISORY
- lists.apache.org/thread/op681b4kbd7g84tfjf9omz0sxggbcv33ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-55675ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/08/14/6ghsaWEB
News mentions
0No linked articles in our index yet.