Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to sensitive information disclosure. This issue affects Apache Superset: before 5.0.0. Users are recommended to upgrade to version 5.0.0, which fixes the issue.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| apache-superset(PyPI) | 0 | 5.0.0 | N/A |
CVSS Metrics
