Apache Superset with custom roles that include `can write on dataset` and without all data access permissions, allows for users to create virtual datasets to data they don't have access to. These users could then use those virtual datasets to get access to unauthorized data.
This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.

Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.

Affected Packages

PyPI apache-superset

Affected versions: 0 (fixed in 3.0.4)

PyPI apache-superset

Affected versions: 3.1.0 (fixed in 3.1.1)

Related CVEs

CVE-2024-24779

Key Information

GHSA ID

GHSA-wr6g-9wcr-cmqj

Published

February 28, 2024 12:30 PM

Last Modified

February 13, 2025 7:10 PM

CVSS Score

5.0 /10

Primary Ecosystem

PyPI

Primary Package

apache-superset

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 27, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.