Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.

Affected Packages

PyPI apache-superset

Affected versions: 0 (fixed in 2.1.0)

Related CVEs

CVE-2023-27524

Key Information

GHSA ID

GHSA-5cx2-vq3h-x52c

Published

April 24, 2023 6:30 PM

Last Modified

April 8, 2024 3:35 PM

CVSS Score

7.5 /10

Primary Ecosystem

PyPI

Primary Package

apache-superset

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 27, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.