Vulnerability Description
Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to sensitive information disclosure. This issue affects Apache Superset: before 5.0.0. Users are recommended to upgrade to version 5.0.0, which fixes the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Superset | < 5.0.0 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread/op681b4kbd7g84tfjf9omz0sxggbcv33Mailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2025/08/14/6
FAQ
What is CVE-2025-55675?
CVE-2025-55675 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do no...
How severe is CVE-2025-55675?
CVE-2025-55675 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-55675?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Superset.