CVE-2025-55675: Apache Superset allows authenticated users to discover metadata about datasources they don't have permission to access

August 14, 2025 (updated November 10, 2025)

Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to sensitive information disclosure.

This issue affects Apache Superset: before 5.0.0.

Users are recommended to upgrade to version 5.0.0, which fixes the issue.

References

github.com/advisories/GHSA-mhpq-m962-mg92
github.com/apache/superset
lists.apache.org/thread/op681b4kbd7g84tfjf9omz0sxggbcv33
nvd.nist.gov/vuln/detail/CVE-2025-55675

Code Behaviors & Features

Detect and mitigate CVE-2025-55675 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →