Apache Superset <4.1.3: /chart/data Exposure of Query Payload
CVE-2025-55673 Published on August 14, 2025
Apache Superset: Metadata exposure in embedded charts
When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privileged guest user.
This issue affects Apache Superset: before 4.1.3.
Users are recommended to upgrade to version 4.1.3, which fixes the issue.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2025-55673 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2025-55673
Want to know whenever a new CVE is published for Apache Superset? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Superset:- Before 4.1.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.