CVE-2025-27696 – apache-superset

Package

Manager: pip
Name: apache-superset
Vulnerable Version: >=0 <4.1.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00017 pctl0.02847

Details

Apache Superset Allows Ownership Takeover Improper Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions. This issue affects Apache Superset: through 4.1.1. Users are recommended to upgrade to version 4.1.2 or above, which fixes the issue.

Metadata

Created: 2025-05-13T09:31:09Z
Modified: 2025-07-16T21:02:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-w6c7-j32f-rq8j/GHSA-w6c7-j32f-rq8j.json
CWE IDs: ["CWE-285", "CWE-863"]
Alternative ID: GHSA-w6c7-j32f-rq8j
Finding: F039
Auto approve: 1