CVE-2026-23983 – Authenticated users in Apache Superset can expl... (How to Fix)

Q: What is the severity of CVE-2026-23983?

CVE-2026-23983 has a CVSS score of 6.5 (MEDIUM). Authenticated users in Apache Superset can exploit a disabled-by-default tagging feature to retrieve sensitive user data including password hashes and email addresses. This affects all Apache Superset installations before version 6.0.0 where users have authenticated access, even with low-privilege roles like Gamma.

📋 TL;DR

Authenticated users in Apache Superset can exploit a disabled-by-default tagging feature to retrieve sensitive user data including password hashes and email addresses. This affects all Apache Superset installations before version 6.0.0 where users have authenticated access, even with low-privilege roles like Gamma.

💻 Affected Systems

Products:

Apache Superset

Versions: All versions before 6.0.0

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Vulnerability only exists when TAGGING_SYSTEM feature is enabled (disabled by default).

📦 What is this software?

Superset by Apache

View all CVEs affecting Superset →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could obtain password hashes for offline cracking, potentially compromising administrative accounts and gaining full control of the Superset instance.

🟠

Likely Case

Low-privilege authenticated users exfiltrate sensitive user data including email addresses and login statistics, enabling targeted phishing or credential reuse attacks.

🟢

If Mitigated

With TAGGING_SYSTEM disabled (default), the vulnerability is not exposed, limiting impact to misconfigured systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated access but minimal technical skill to exploit via API calls.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.0

Vendor Advisory: https://lists.apache.org/thread/62mgbc5hc8026skp69kb6vqozj3pr5ww

Restart Required: Yes

Instructions:

1. Backup your Superset instance. 2. Upgrade to Apache Superset 6.0.0 or later using your package manager or installation method. 3. Restart the Superset service. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Disable Tagging System

all

Set TAGGING_SYSTEM to False in Superset configuration to disable the vulnerable endpoint

In superset_config.py: TAGGING_SYSTEM = False

🧯 If You Can't Patch

Ensure TAGGING_SYSTEM is set to False in all configurations
Restrict authenticated user access and implement strict role-based access controls

🔍 How to Verify

Check if Vulnerable:

Check if TAGGING_SYSTEM is enabled in configuration and version is below 6.0.0

Check Version:

superset version

Verify Fix Applied:

Confirm version is 6.0.0+ and TAGGING_SYSTEM is False, then test API endpoint returns proper error

📡 Detection & Monitoring

Log Indicators:

Unusual API calls to /api/v1/tag/ endpoints
Multiple requests for tag associations with user objects

Network Indicators:

HTTP GET requests to tag API endpoints returning sensitive user data

SIEM Query:

source="apache_superset" AND (uri_path="/api/v1/tag/" OR uri_path CONTAINS "/tag/")

📊 Metadata

CVE ID: CVE-2026-23983

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

Published: February 24, 2026

Last Updated: February 25, 2026

🔗 References

https://lists.apache.org/thread/62mgbc5hc8026skp69kb6vqozj3pr5ww Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/02/24/7 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23983, you might also want to check these: