orbisai0security opened a new pull request, #40026: URL: https://github.com/apache/superset/pull/40026
## Summary Fix critical severity security issue in `superset/security/api.py`. ## Vulnerability | Field | Value | |-------|-------| | **ID** | V-004 | | **Severity** | CRITICAL | | **Scanner** | multi_agent_ai | | **Rule** | `V-004` | | **File** | `superset/security/api.py:172` | **Description**: The guest token creation endpoint at superset/security/api.py:172 loads the request body via guest_token_create_schema.load() but does not verify that the requesting user has explicit access to every resource (dashboard or dataset ID) specified in the payload. Any authenticated user with permission to call this endpoint can craft a request specifying restricted resource IDs they do not own, causing the server to issue a valid guest token granting access to those restricted resources. ## Changes - `superset/security/api.py` ## Verification - [x] Build passes - [x] Scanner re-scan confirms fix - [x] LLM code review passed --- *Automated security fix by [OrbisAI Security](https://orbisappsec.com)* -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
