CVE-2026-23983

MEDIUM

Apache Superset - Info Disclosure

Title source: llm

Description

A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabled by default) allows users to retrieve a list of objects associated with a specific tag. When these associated objects include Users, the API response improperly serializes and returns sensitive fields, including password hashes (pbkdf2), email addresses, and login statistics. This vulnerability allows authenticated users with low privileges (e.g., Gamma role) to view sensitive authentication data This issue affects Apache Superset: before 6.0.0. Users are recommended to upgrade to version 6.0.0, which fixes the issue or make sure TAGGING_SYSTEM is False (Apache Superset current default)

References (2)

[Mailing List] http://www.openwall.com/lists/oss-security/2026/02/24/7

[Mailing List] https://lists.apache.org/thread/62mgbc5hc8026skp69kb6vqozj3pr5ww

Scores

CVSS v3 6.5

EPSS 0.0004

EPSS Percentile 13.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (2)

apache/superset < 6.0.0

pypi/apache-superset 0 - 6.0.0PyPI

Published Feb 24, 2026

Tracked Since Feb 24, 2026