Apache Superset API Access Control Gap Raises Data Exposure Risk, Researchers Warn

Security researchers have identified a broken access control vulnerability in Apache Superset, the widely deployed open-source business intelligence platform. The flaw, classified under OWASP A01:2021, stems from API endpoints missing required @has_access permission decorators, potentially allowing unauthorized users to access restricted chart data, dashboard metadata, and query results through direct URL manipulation.

The vulnerability affects multiple API components within the Superset codebase, specifically targeting endpoints under /api/v1/ in superset/charts/api.py, superset/dashboards/api.py, superset/queries/api.py, and superset/datasets/api.py, along with handlers in superset/views/. In affected endpoints, the Row-Level Security enforcement layer fails to activate without explicit @has_access or @protect decorators, leaving data accessible to users who should not have permission to view it. The issue appears most pronounced in endpoints serving chart data and dashboard metadata, where authorization checks are either absent or bypassed entirely.

Remediation efforts, as outlined in the reported findings, require a systematic audit of all Flask API endpoints to identify and patch unprotected routes. The proposed fix involves adding appropriate permission decorators to each vulnerable endpoint and implementing integration tests to verify that access controls function as intended. Organizations running Superset instances should monitor for updates addressing this access control deficiency, as the flaw could enable lateral movement within environments where unauthorized data access poses compliance or operational risks.