Apache Superset Improper Authorization Flaw Grants Lower-Privilege Users Access to Role Creation API

A critical improper authorization vulnerability has been identified in Apache Superset when the FAB_ADD_SECURITY_API configuration is enabled, allowing lower-privilege users to create roles through the API. The security flaw, tracked as a significant access control failure, affects versions from 2.0.0 up to but not including 4.1.0. This vulnerability represents a serious deviation from expected permission boundaries in the platform's security model.

The issue specifically emerges when administrators enable FAB_ADD_SECURITY_API, a setting disabled by default. Under normal configuration, role management should remain restricted to users with elevated privileges. However, the vulnerability permits users with lower permission levels to bypass these restrictions and interact with the role creation endpoint. Apache Superset has addressed this vulnerability in version 4.1.0, which includes the necessary authorization checks to prevent unauthorized role creation.

Organizations running affected versions of Apache Superset are strongly advised to upgrade to 4.1.0 immediately, particularly those with FAB_ADD_SECURITY_API enabled. Security teams should audit user permissions, review access logs for unauthorized role creation attempts, and ensure that role management functions remain limited to appropriately privileged accounts. This vulnerability underscores the importance of strict access control enforcement in administrative interfaces, especially when optional security APIs are activated.