CVE-2024-53949 – Apache Superset has an improper authorization v... (How to Fix)

Q: What is the severity of CVE-2024-53949?

CVE-2024-53949 has a CVSS score of 6.5 (MEDIUM). Apache Superset has an improper authorization vulnerability when FAB_ADD_SECURITY_API is enabled (disabled by default). This allows lower-privilege users to access security API endpoints they shouldn't have permission to use. The vulnerability affects Apache Superset versions from 2.0.0 up to (but not including) 4.1.0.

📋 TL;DR

Apache Superset has an improper authorization vulnerability when FAB_ADD_SECURITY_API is enabled (disabled by default). This allows lower-privilege users to access security API endpoints they shouldn't have permission to use. The vulnerability affects Apache Superset versions from 2.0.0 up to (but not including) 4.1.0.

💻 Affected Systems

Products:

Apache Superset

Versions: 2.0.0 to 4.1.0 (excluding 4.1.0)

Operating Systems: All operating systems running Apache Superset

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when FAB_ADD_SECURITY_API is explicitly enabled (disabled by default).

📦 What is this software?

Superset by Apache

View all CVEs affecting Superset →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Lower-privilege users could escalate privileges, modify security configurations, or access sensitive data they shouldn't have permission to view.

🟠

Likely Case

Users with limited permissions could perform unauthorized actions through the security API, potentially accessing or modifying resources beyond their intended scope.

🟢

If Mitigated

If FAB_ADD_SECURITY_API is disabled (default configuration), the vulnerability is not exposed. Proper network segmentation and access controls would limit the impact.

🌐 Internet-Facing: MEDIUM - If exposed to the internet with vulnerable configuration, attackers could attempt to exploit this, but requires authenticated access.

🏢 Internal Only: MEDIUM - Internal users with any level of access could potentially abuse this to escalate privileges or access unauthorized resources.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with any user account and the FAB_ADD_SECURITY_API feature enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.0

Vendor Advisory: https://lists.apache.org/thread/d3scbwmfpzbpm6npnzdw5y4owtqqyq8d

Restart Required: Yes

Instructions:

1. Backup your Superset instance and database. 2. Upgrade Apache Superset to version 4.1.0 or later using your package manager or pip. 3. Restart the Superset service. 4. Verify the upgrade was successful.

🔧 Temporary Workarounds

Disable FAB_ADD_SECURITY_API

all

Set FAB_ADD_SECURITY_API to False in Superset configuration to disable the vulnerable API endpoint.

Set FAB_ADD_SECURITY_API = False in superset_config.py

🧯 If You Can't Patch

Disable FAB_ADD_SECURITY_API in configuration if enabled
Implement strict network access controls and monitor for unusual API calls to security endpoints

🔍 How to Verify

Check if Vulnerable:

Check if running Apache Superset version between 2.0.0 and 4.1.0 (excluding 4.1.0) AND FAB_ADD_SECURITY_API is enabled in configuration.

Check Version:

pip show apache-superset | grep Version

Verify Fix Applied:

Verify Apache Superset version is 4.1.0 or later, or confirm FAB_ADD_SECURITY_API is disabled.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /api/v1/security/* endpoints
Unusual API calls from lower-privilege users to security-related endpoints

Network Indicators:

HTTP requests to security API endpoints from users with insufficient privileges

SIEM Query:

source="superset" AND (uri_path="/api/v1/security/*" OR uri_path CONTAINS "/security/") AND user_role IN ("gamma", "alpha", "sql_lab")

📊 Metadata

CVE ID: CVE-2024-53949

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-863

Published: December 9, 2024

Last Updated: February 12, 2025

🔗 References

https://lists.apache.org/thread/d3scbwmfpzbpm6npnzdw5y4owtqqyq8d Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/12/09/4 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-53949, you might also want to check these: