CVE-2026-23983
Received Received - Intake
Sensitive Data Exposure in Apache Superset Tag Endpoint

Publication date: 2026-02-24

Last updated on: 2026-02-25

Assigner: Apache Software Foundation

Description
A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabled by default) allows users to retrieve a list of objects associated with a specific tag. When these associated objects include Users, the API response improperly serializes and returns sensitive fields, including password hashes (pbkdf2), email addresses, and login statistics. This vulnerability allows authenticated users with low privileges (e.g., Gamma role) to view sensitive authentication data This issue affects Apache Superset: before 6.0.0. Users are recommended to upgrade to version 6.0.0, which fixes the issue or make sureΒ TAGGING_SYSTEM is False (Apache Superset current default)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23983
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache superset to 6.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Sensitive Data Exposure issue in Apache Superset versions before 6.0.0. It allows authenticated users with low privileges, such as those with the Gamma role, to retrieve sensitive user information through the Tag endpoint, which is disabled by default.

When the Tag endpoint returns objects associated with a specific tag, and those objects include Users, the API response improperly serializes and exposes sensitive fields like password hashes (pbkdf2), email addresses, and login statistics.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive authentication data to users with low privileges. Attackers or unauthorized users could gain access to password hashes, email addresses, and login statistics, potentially enabling further attacks such as credential cracking or targeted phishing.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, users are recommended to upgrade Apache Superset to version 6.0.0 or later, which contains the fix.

Alternatively, ensure that the TAGGING_SYSTEM configuration is set to False, which is the default setting in Apache Superset.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23983. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart