CVE-2026-23983
Received Received - Intake
Sensitive Data Exposure in Apache Superset Tag Endpoint

Publication date: 2026-02-24

Last updated on: 2026-02-25

Assigner: Apache Software Foundation

Description
A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabled by default) allows users to retrieve a list of objects associated with a specific tag. When these associated objects include Users, the API response improperly serializes and returns sensitive fields, including password hashes (pbkdf2), email addresses, and login statistics. This vulnerability allows authenticated users with low privileges (e.g., Gamma role) to view sensitive authentication data This issue affects Apache Superset: before 6.0.0. Users are recommended to upgrade to version 6.0.0, which fixes the issue or make sureΒ TAGGING_SYSTEM is False (Apache Superset current default)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-25
Generated
2026-05-27
AI Q&A
2026-02-24
EPSS Evaluated
2026-05-25
NVD
CVE-2026-23983
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache superset to 6.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a Sensitive Data Exposure issue in Apache Superset versions before 6.0.0. It allows authenticated users with low privileges, such as those with the Gamma role, to retrieve sensitive user information through the Tag endpoint, which is disabled by default.

When the Tag endpoint returns objects associated with a specific tag, and those objects include Users, the API response improperly serializes and exposes sensitive fields like password hashes (pbkdf2), email addresses, and login statistics.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure of sensitive authentication data to users with low privileges. Attackers or unauthorized users could gain access to password hashes, email addresses, and login statistics, potentially enabling further attacks such as credential cracking or targeted phishing.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, users are recommended to upgrade Apache Superset to version 6.0.0 or later, which contains the fix.

Alternatively, ensure that the TAGGING_SYSTEM configuration is set to False, which is the default setting in Apache Superset.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart