CVE DATABASE / CVE-2023-27524

CVE-2023-27524

Apache Superset Insecure Default Initialization of Resource Vulnerability

CVSS 8.9 · HIGH ⚠ CISA KEV — ACTIVELY EXPLOITED

On the CISA KEV catalog

Confirmed exploited in the wild. Added 2024-01-08. Federal remediation due 2024-01-29.
Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Summary

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your `superset_config.py` file like:SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY>Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.

CVSS 3.1 breakdown

Base score	8.9 (HIGH)
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
Attack vector	NETWORK
Attack complexity	HIGH
Privileges required	NONE
User interaction	NONE
Scope	CHANGED
Confidentiality	HIGH
Integrity	HIGH
Availability	LOW

Weakness type (CWE)

CWE-1188

Affected products

Apache superset

Check this CVE live

Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.

References

Data: NIST NVD + CISA KEV. NVD last modified 2026-02-26. Always verify against the vendor advisory before acting.