Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2026-23983

Severity CVSS v4.0:
LOW
Type:
CWE-200 Information Leak / Disclosure
Publication date:
24/02/2026
Last modified:
24/02/2026

Description

A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabled by default) allows users to retrieve a list of objects associated with a specific tag.<br /> When these associated objects include Users, the API response improperly serializes and returns sensitive fields, including password hashes (pbkdf2), email addresses, and login statistics. This vulnerability allows authenticated users with low privileges (e.g., Gamma role) to view sensitive authentication data <br /> <br /> This issue affects Apache Superset: before 6.0.0.<br /> <br /> Users are recommended to upgrade to version 6.0.0, which fixes the issue or make sure TAGGING_SYSTEM is False (Apache Superset current default)

Impact

Vector 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS v4.0 Severity and Metrics:

Base Score: 2.30 LOW
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Attack Requirements (AT): Present
Privileges Required (PR): Low
User Interaction (UI): None
Confidentiality (VC): Low
Integrity (VI): None
Availability (VA): None
Confidentiality (SC): None
Integrity (SI): None
Availability (SA): None

Base Score 4.0
2.30
Severity 4.0
LOW

References to Advisories, Solutions, and Tools