CVE-2025-55675

CWE-2854 documents4 sources
Severity
5.3MEDIUM
EPSS
0.1%
top 78.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache SupersetApache Superset
Timeline
PublishedAug 14

Description

Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to sensitive information disclosure. This issue affects Apache Superset: before 5.0.0. Users are recommended to upgrade to

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

NVDapache/superset< 5.0.0
PyPIapache-superset< 5.0.0

🔴Vulnerability Details

3
CVEList
Apache Superset: Incorrect datasource authorization on REST API2025-08-14
OSV
Apache Superset allows authenticated users to discover metadata about datasources they don't have permission to access2025-08-14
GHSA
Apache Superset allows authenticated users to discover metadata about datasources they don't have permission to access2025-08-14
CVE-2025-55675 (MEDIUM CVSS 5.3) | Apache Superset contains an imprope | cvebase.io