Apache Superset <5.0.0 /explore IAC Allows Datasource Enumeration
CVE-2025-55675 Published on August 14, 2025
Apache Superset: Incorrect datasource authorization on REST API
Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to sensitive information disclosure.
This issue affects Apache Superset: before 5.0.0.
Users are recommended to upgrade to version 5.0.0, which fixes the issue.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CVE-2025-55675 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2025-55675
Want to know whenever a new CVE is published for Apache Superset? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Superset:- Before 5.0.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.