PYSEC-2026-1188

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/apache-superset/PYSEC-2026-1188.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1188
Aliases
Published
2026-07-07T11:45:27.697634Z
Modified
2026-07-07T17:57:29.612156594Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Apache Superset has Incorrect Default Permissions
Details

Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations. This issue affects Apache Superset: before 2.1.2. Users should upgrade to version or above 2.1.2 and run superset init to reconstruct the Gamma role or remove can_read permission from the mentioned resources.

References

Affected packages

PyPI / apache-superset

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.2

Affected versions

0.*
0.34.0
0.34.1
0.35.1
0.35.2
0.36.0
0.37.0
0.37.1
0.37.2
0.38.0
0.38.1
1.*
1.0.0
1.0.1
1.1.0
1.2.0
1.3.0
1.3.1
1.3.2
1.4.0
1.4.1
1.4.2
1.5.0
1.5.1
1.5.2
1.5.3
2.*
2.0.0
2.0.1
2.1.0
2.1.1rc1
2.1.1rc2
2.1.1rc3
2.1.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/apache-superset/PYSEC-2026-1188.yaml"