Authorization Flaw in Apache Superset Allowed Lower-Privilege Users to Create Roles

A critical improper authorization vulnerability in Apache Superset enabled lower-privilege users to create roles when the FAB_ADD_SECURITY_API feature flag was activated. The flaw, documented in the project's security advisories, allowed authenticated users with restricted permissions to bypass intended access controls through the exposed API endpoint. Security researchers flagged the issue as a classic privilege escalation risk, as role creation typically requires elevated administrative privileges in well-designed access control systems.

The vulnerability resided specifically within Superset's optional security API module, which is disabled by default but can be enabled for administrative or integration purposes. Versions from 2.0.0 through any release prior to 4.1.0 were affected, exposing organizations that had enabled FAB_ADD_SECURITY_API without recognizing the authorization gap. The risk profile remained conditional—the attack surface existed only when the flag was explicitly turned on, limiting exposure compared to a universally enabled component. Nevertheless, any deployment with the feature active faced potential for unauthorized role manipulation by non-admin users.

The Superset project released version 4.1.0 with a fix for the authorization flaw. Administrators managing Superset instances are advised to verify their current version and upgrade to 4.1.0 or later if running an affected release. Organizations should also audit whether FAB_ADD_SECURITY_API is enabled in their environments and disable it unless explicitly required, following the principle of least privilege for security-sensitive configuration flags.