Apache · Apache Superset · CVE-2026-23983
**Name of the Vulnerable Software and Affected Versions**
Apache Superset versions prior to 6.0.0
**Description**
A sensitive data exposure issue exists in Apache Superset that allows authenticated users to retrieve sensitive user information. The `'/api/v1/tag'` API endpoint, when enabled, improperly serializes and returns sensitive fields associated with user objects, including password hashes (pbkdf2), email addresses, and login statistics. Users with low privileges, such as those with the Gamma role, can view this sensitive authentication data.
**Recommendations**
Upgrade to version 6.0.0, which resolves the issue.
Ensure `TAGGING SYSTEM` is set to False, as this is the default configuration for Apache Superset.