CVE-2024-26016 MEDIUM

CVE-2024-26016: Apache Superset: Improper authorization validation on dashboards and charts import

Vendor Apache Software Foundation

Product Apache Superset

Weakness CWE-863 · Incorrect authorization

Published February 28, 2024

Last update April 22, 2025

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

Description

A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it's important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue.

Key dates

Disclosure timeline

February 28, 2024 CVE published

April 22, 2025 Record updated

Identifiers

CVE CVE-2024-26016

CWE CWE-863

CVSS 4.3 / MEDIUM

Affected versions

Vendor Apache Software Foundation

Product Apache Superset

Affected < 3.0.4

Vendor Apache Software Foundation

Product Apache Superset

Affected ≥ 3.1.0 and < 3.1.1