**Name of the Vulnerable Software and Affected Versions**

Apache Superset versions up to and including 2.0.1

**Description**

The issue concerns a session validation flaw in Apache Superset, where installations that have not altered the default configured `SECRET KEY` according to installation instructions allow an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for `SECRET KEY` config. The `SECRET KEY` is used to securely sign all session cookies and encrypt sensitive information on the database. Approximately 2,124 servers are potentially affected, with 67% of open internet-facing servers still using the default configuration.

**Recommendations**

For versions up to and including 2.0.1, add a strong `SECRET KEY` to your `superset config.py` file, like `SECRET KEY = <YOUR OWN RANDOM GENERATED SECRET KEY>`. Alternatively, you can set it with the `SUPERSET SECRET KEY` environment variable. As a temporary workaround, consider changing the default `SECRET KEY` to prevent exploitation until a patch is applied or the version is updated. For the best protection, update to version 2.1 or later, which does not allow the server to run with the default `SECRET KEY`.