CVE-2018-8021

CRITICAL

Apache Superset < 0.23 - Remote Code Execution via Pickle Deserialization

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-8021. PoCs published by David May, r3dxpl0it.

AI-analyzed exploit summary This exploit leverages a deserialization vulnerability in Apache Superset < 0.23 to achieve remote code execution by uploading a malicious pickle file containing a reverse shell payload. It requires valid credentials with dashboard import privileges.

Description

Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Superset 0.23 was released prior to any Superset release under the Apache Software Foundation.

Exploits (2)

exploitdb WORKING POC

by David May · pythonwebappslinux

https://www.exploit-db.com/exploits/45933

View Code ZIP pw:eip

This exploit leverages a deserialization vulnerability in Apache Superset < 0.23 to achieve remote code execution by uploading a malicious pickle file containing a reverse shell payload. It requires valid credentials with dashboard import privileges.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Superset < 0.23

Auth required

Prerequisites: Valid credentials with 'can Import Dashboards on Superset' privilege · Network access to the target Superset instance · A listener set up to receive the reverse shell

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1078 - Valid Accounts

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 106 stars

by r3dxpl0it · poc

https://github.com/r3dxpl0it/Apache-Superset-Remote-Code-Execution-PoC-CVE-2018-8021

View Code ZIP pw:eip

This PoC exploits CVE-2018-8021, a deserialization vulnerability in Apache Superset via unsafe pickle deserialization. It crafts a malicious pickle file to execute a reverse shell command, leveraging authenticated dashboard import functionality.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Superset (versions prior to fix)

Auth required

Prerequisites: Valid credentials for a user with dashboard import privileges · Network access to the target Superset instance

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/45933/

Patch, Third Party Advisory x_refsource_misc

https://github.com/apache/incubator-superset/pull/4243

Scores

CVSS v3 9.8

EPSS 0.6434

EPSS Percentile 98.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-502

Status published

Products (2)

apache/superset < 0.23

pypi/superset 0 - 0.23PyPI

Published Nov 07, 2018

Tracked Since Feb 18, 2026