Severity: Affected versions:
- Apache Superset before 4.1.3 Description: When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privileged guest user. This issue affects Apache Superset: before 4.1.3. Users are recommended to upgrade to version 4.1.3, which fixes the issue. Credit: Pedro Sousa (coordinator) Daniel Gaspar (remediation developer) References: https://www.cve.org/CVERecord?id=CVE-2025-55673
