Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.3
Apache Superset: Authenticated Users Can See Sensitive User Data
CVE-2026-23983
GHSA-h294-8fxm-m2pj
Summary
Authenticated users with low privileges can see sensitive user information, including passwords and email addresses, in Apache Superset. This is a security risk because it allows unauthorized access to personal data. To fix this, upgrade to Apache Superset version 6.0.0 or disable the Tag endpoint by setting the TAGGING_SYSTEM to False.
What to do
- Update apache-superset to version 6.0.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | apache-superset | <= 6.0.0 | 6.0.0 |
| apache | superset | <= 6.0.0 | – |
Original title
Apache Superset allows authenticated users to view sensitive data without explicit permissions
Original description
A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabled by default) allows users to retrieve a list of objects associated with a specific tag.
When these associated objects include Users, the API response improperly serializes and returns sensitive fields, including password hashes (pbkdf2), email addresses, and login statistics. This vulnerability allows authenticated users with low privileges (e.g., Gamma role) to view sensitive authentication data
This issue affects Apache Superset: before 6.0.0.
Users are recommended to upgrade to version 6.0.0, which fixes the issue or make sure TAGGING_SYSTEM is False (Apache Superset current default)
When these associated objects include Users, the API response improperly serializes and returns sensitive fields, including password hashes (pbkdf2), email addresses, and login statistics. This vulnerability allows authenticated users with low privileges (e.g., Gamma role) to view sensitive authentication data
This issue affects Apache Superset: before 6.0.0.
Users are recommended to upgrade to version 6.0.0, which fixes the issue or make sure TAGGING_SYSTEM is False (Apache Superset current default)
nvd CVSS3.1
6.5
nvd CVSS4.0
2.3
Vulnerability type
CWE-200
Information Exposure
- https://nvd.nist.gov/vuln/detail/CVE-2026-23983
- https://github.com/advisories/GHSA-h294-8fxm-m2pj
- https://lists.apache.org/thread/62mgbc5hc8026skp69kb6vqozj3pr5ww Mailing List Vendor Advisory
- http://www.openwall.com/lists/oss-security/2026/02/24/7 Mailing List Third Party Advisory
Published: 24 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026