CVE-2025-55675

14.08.2025, 14:15

Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to sensitive information disclosure.

This issue affects Apache Superset: before 5.0.0.

Users are recommended to upgrade to version 5.0.0, which fixes the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
apache	CNA	---				---
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 13%

Vendor	Product	Version
apache	superset	𝑥 < 5.0.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-285 - Improper Authorization
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References

https://lists.apache.org/thread/op681b4kbd7g84tfjf9omz0sxggbcv33

http://www.openwall.com/lists/oss-security/2025/08/14/6