Connect with us

Hi, what are you looking for?



Organizations Warned of Security Risk in Default Apache Superset Configurations

Attackers can exploit Apache Superset installations with default configurations to gain administrator access and execute code on servers and databases.

Malicious attackers can exploit Apache Superset installations running default configurations to gain administrator access and execute code on servers and databases, penetration testing firm warns.

An open source application written in Python and based on the Flask web framework, Apache Superset provides users with the ability to explore and visualize large amounts of data.

The same as other Flask-based applications, Superset uses session cookies that are signed with a secret key for authentication. 

The secret key is supposed to be randomly generated, to prevent scenarios where an attacker could use a known key to sign their own cookies and gain access to the application.

An attacker who knows a Superset session key could log in as an administrator, access databases connected to the application, add, modify or delete databases, and execute code remotely, both on databases and on the server.

“By default, database connections are set up with read-only permissions but an attacker with admin access can enable writes and DML (data model language) statements. The powerful SQL Lab interface allows attackers to run arbitrary SQL statements against connected databases,” explains.

Furthermore, the attacker could harvest sensitive information, including user password hashes and database credentials in plaintext.

Advertisement. Scroll to continue reading.

Tacked as CVE-2023-27524 (CVSS score of 8.9), the vulnerability identified by exists because, when Superset is installed, the secret key is defaulted to a specific value, with the user being responsible for changing it to a cryptographically secure random string.

The security firm initially discovered and reported the bug in October 2021. The secret key value was rotated in January 2022 to a new default and a warning was added to the logs.

In February 2023, discovered that there were over 3,000 Superset instances accessible from the internet, and that more than 2,000 of them (roughly two thirds) were using a default secret key. Apache Superset versions up to 2.0.1 are impacted.

“Among the 2000+ affected users, we found a broad mix of large corporations, small companies, government agencies, and universities. We sent out good-faith notifications to a number of organizations, some of whom remediated shortly after,” the company notes.

The vulnerability was addressed in Superset version 2.1, which prevents the server from starting if a default secret key is in use. Superset instances that are installed via a docker-compose file or a helm template, however, still use default keys.

Other Flask-based applications were also found vulnerable to the hardcoded secret key bug, including Apache Airflow (CVE-2020-17526) and Redash (CVE-2021-41192).

Related: Critical Apache Commons Text Flaw Compared to Log4Shell, But Not as Widespread

Related: High-Severity Vulnerability Found in Apache Database System Used by Major Firms

Related: High-Risk Flaw Haunts Apache Server

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.