PyPI: apache-superset

CVE-2026-23983

Safety vulnerability ID: SFTY-20260224-90479

A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabled by default) allows users to retrieve a list of objects associated with a specific tag. When these associated objects include Users, the API response improperly serializes and returns sensitive fields, including password hashes (pbkdf2), email addresses, and login statistics. This vulnerability allows authenticated users with low privileges (e.g., Gamma role) to view sensitive authentication data This issue affects Apache Superset: before 6.0.0. Users are recommended to upgrade to version 6.0.0, which fixes the issue or make sure TAGGING_SYSTEM is False (Apache Superset current default)

PythonPyPINVDNVDGitHubGHSA
Created at: Feb 26, 2026Updated at: Feb 26, 2026

Overview

Apache Superset allows authenticated users to view sensitive data without explicit permissions

Advisory

Apache Superset allows authenticated users to view sensitive data without explicit permissions

Affected Package

Affecting apache-superset package, versions
< 6.0.0

Also affects

---

How to Fix

Upgrade
apache-superset
to
6.0.0
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more