CVE-2026-23983

CWE-200Information Exposure5 documents5 sources
Severity
2.3LOW
EPSS
0.1%
top 82.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache SupersetApache Superset
Timeline
PublishedFeb 24

Description

A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabled by default) allows users to retrieve a list of objects associated with a specific tag. When these associated objects include Users, the API response improperly serializes and returns sensitive fields, including password hashes (pbkdf2), email addresses, and login statistics. This vulnerability allows authenticated users with low privile

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

NVDapache/superset< 6.0.0
PyPIapache-superset< 6.0.0

🔴Vulnerability Details

3
CVEList
Apache Superset: Sensitive Data Exposure via REST API (disabled by default)2026-02-24
GHSA
Apache Superset allows authenticated users to view sensitive data without explicit permissions2026-02-24
OSV
Apache Superset allows authenticated users to view sensitive data without explicit permissions2026-02-24

🕵️Threat Intelligence

1
Wiz
CVE-2026-23983 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-23983 (LOW CVSS 2.3) | A Sensitive Data Exposure vulnerabi | cvebase.io