1. Hardcoded Superset Secret Leaves Embedded Dashboards Vulnerable to Guest Token Forgery
A security gap in Apache Superset's default configuration exposes embedded dashboards to token forgery attacks. The file `superset/config.py` ships with `GUEST_TOKEN_JWT_SECRET` hardcoded to `"test-guest-secret-change-me"` — a publicly documented default value that anyone can read from the source code. Unlike Flask's `...