CVE-2025-55675: 
Wolfi vulnerability analysis and mitigation

Apache Superset contains an improper access control vulnerability (CVE-2025-55675) in its /explore endpoint, discovered and disclosed on August 14, 2025. The vulnerability affects Apache Superset versions before 5.0.0. A missing authorization check allows authenticated users to discover metadata about datasources they do not have permission to access (NVD).

The vulnerability stems from a missing authorization check in the /explore endpoint. By iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of protected datasources. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, and a CVSS v4.0 score of 5.3 (MEDIUM) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N (NVD).

The vulnerability leads to sensitive information disclosure, allowing authenticated users to discover metadata about datasources they should not have access to. This could potentially expose confidential information about protected data sources within the Apache Superset installation (NVD).

Users are recommended to upgrade to Apache Superset version 5.0.0 or later, which contains the fix for this vulnerability (NVD).