Authorization Flaw in Apache Superset Allows Low-Privilege Users to Create Roles via Security API

A critical improper authorization vulnerability has been identified in Apache Superset, the open-source data visualization platform. The flaw, which resides in the framework's FAB_ADD_SECURITY_API functionality, permits users with lower privilege levels to interact with administrative role-creation endpoints that should be restricted to authorized personnel. While FAB_ADD_SECURITY_API is disabled by default, deployments where it is explicitly enabled expose a significant attack surface, according to the disclosure published in the project's issue tracker.

The vulnerability affects all Superset installations running versions 2.0.0 through any release prior to 4.1.0. The core weakness lies in insufficient access controls on security-related API endpoints, allowing authenticated but lower-privileged users to leverage role management functions they should not be authorized to access. This type of flaw represents a classic privilege escalation risk—where an actor with limited system access could potentially elevate their permissions beyond what their role should permit. The issue was acknowledged and addressed in the 4.1.0 release, which carries the official fix.

Organizations running Apache Superset with FAB_ADD_SECURITY_API enabled are strongly advised to verify their current version and apply the upgrade to 4.1.0 immediately. The exposure is particularly relevant for enterprise environments where Superset serves as a centralized BI layer and where unauthorized role manipulation could cascade into broader infrastructure compromise. Security teams should audit role assignments and API access logs in affected deployments as a precautionary measure, even after patching, to rule out any prior exploitation attempts.