PyPI: apache-superset
CVE-2025-55675
Safety vulnerability ID: SFTY-20250815-44240
Safety legacy ID: pyup.io-78710
Affected versions of the Apache Superset package are vulnerable to Improper Authorization due to insufficient access control in endpoints that allow ownership transfer. The API endpoints for dashboards, charts, and datasets fail to enforce proper authorization checks on ownership-related attributes, enabling authenticated read‑permission users to manipulate ownership. An attacker who is authenticated with only read permissions can exploit this by crafting requests to these endpoints to take over ownership of dashboards, charts or datasets, compromising data integrity, confidentiality, and availability.
Overview
Apache Superset allows authenticated users to discover metadata about datasources they don't have permission to access
Advisory
Affected versions of the Apache Superset package are vulnerable to Improper Authorization due to insufficient access control in endpoints that allow ownership transfer. The API endpoints for dashboards, charts, and datasets fail to enforce proper authorization checks on ownership-related attributes, enabling authenticated read‑permission users to manipulate ownership. An attacker who is authenticated with only read permissions can exploit this by crafting requests to these endpoints to take over ownership of dashboards, charts or datasets, compromising data integrity, confidentiality, and availability.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20250815-44240/CVE-2025-55675
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55675
- https://github.com/advisories/GHSA-mhpq-m962-mg92
- https://nvd.nist.gov/vuln/detail/CVE-2025-55675
- https://lists.apache.org/thread/op681b4kbd7g84tfjf9omz0sxggbcv33
- http://www.openwall.com/lists/oss-security/2025/08/14/6
- https://github.com/advisories/GHSA-mhpq-m962-mg92
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more