CVE-2024-53949: Apache Superset: Lower privilege users are able to create Role when FAB_ADD_SECURITY_API is enabled

December 9, 2024 (updated February 12, 2025)

Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege users to use this API.

issue affects Apache Superset: from 2.0.0 before 4.1.0.

Users are recommended to upgrade to version 4.1.0, which fixes the issue.

References

github.com/advisories/GHSA-35fc-9hrj-3585
github.com/apache/superset
github.com/apache/superset/commit/7650c47e72f28559e91524f5d68d50c2060df4c7
lists.apache.org/thread/d3scbwmfpzbpm6npnzdw5y4owtqqyq8d
nvd.nist.gov/vuln/detail/CVE-2024-53949

Code Behaviors & Features

Detect and mitigate CVE-2024-53949 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →