CVE-2023-27524

Apache Superset: Session validation vulnerability when using provided default SECRET_KEY

Basic Information

CVE State: PUBLISHED
Reserved Date: March 02, 2023
Published Date: April 24, 2023
Last Updated: February 03, 2025
Vendor: Apache Software Foundation
Product: Apache Superset
Description: Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config. All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your `superset_config.py` file like: SECRET_KEY = Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.

CVSS Scores

CVSS v3.1

8.9 - HIGH

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

SSVC Information

Exploitation: active
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2024-01-08 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2024-05-11 12:19:55 UTC) Source

References

https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk https://www.openwall.com/lists/oss-security/2023/04/24/2 https://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html https://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html

Known Exploited Vulnerability Information

Source	Added Date
CISA	2024-01-08 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/apache_superset_cookie_sig_rce.rb	2025-04-29 11:01:11 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-27524.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

Cappricio-Securities/CVE-2023-27524

Type: github • Created: 2024-05-11 12:29:08 UTC • Stars: 2

Apache Superset - Authentication Bypass

karthi-the-hacker/CVE-2023-27524

Type: github • Created: 2024-05-11 12:19:55 UTC • Stars: 1

Tool for finding CVE-2023-27524 (Apache Superset - Authentication Bypass)

jakabakos/CVE-2023-27524-Apache-Superset-Auth-Bypass-and-RCE

Type: github • Created: 2023-09-08 06:15:00 UTC • Stars: 24

TardC/CVE-2023-27524

Type: github • Created: 2023-05-08 16:50:08 UTC • Stars: 11

Apache Superset Auth Bypass (CVE-2023-27524)

ThatNotEasy/CVE-2023-27524

Type: github • Created: 2023-05-04 21:43:48 UTC • Stars: 3

Perform With Apache-SuperSet Leaked Token [CSRF]

ZZ-SOCMAP/CVE-2023-27524

Type: github • Created: 2023-04-27 07:31:40 UTC • Stars: 3

Apache Superset Auth Bypass Vulnerability CVE-2023-27524.

horizon3ai/CVE-2023-27524

Type: github • Created: 2023-04-25 04:59:05 UTC • Stars: 103

Basic PoC for CVE-2023-27524: Insecure Default Configuration in Apache Superset