CVE-2025-55673 is an information disclosure vulnerability classified under CWE-200 affecting Apache Superset versions prior to 4.1.3. The flaw resides in the API endpoint /chart/data, which returns chart data to users. When a guest user—who typically has minimal privileges—requests chart data, the API response improperly includes a 'query' field containing the raw underlying database query. This query reveals sensitive schema details such as table names and potentially other structural metadata. Since guest users are unauthorized actors with limited access, this exposure violates the principle of least privilege and can facilitate further attacks by providing attackers with valuable intelligence about the database structure. The vulnerability requires no authentication or user interaction beyond guest access, making it relatively easy to exploit in environments where guest access is enabled. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low complexity, no privileges required, and no user interaction, but limited impact confined to confidentiality of schema information. The issue was addressed in Apache Superset version 4.1.3 by removing or restricting the exposure of the query field in API responses to unauthorized users.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of internal database schema information. While it does not directly expose sensitive data records, knowledge of table names and database structure can significantly aid attackers in crafting targeted SQL injection attacks, privilege escalation, or lateral movement within the network. Organizations with publicly accessible Superset dashboards or guest user access enabled are particularly vulnerable. This could lead to reputational damage, regulatory non-compliance (e.g., GDPR concerns if subsequent attacks lead to personal data exposure), and potential financial losses. The impact is heightened in sectors with critical data assets such as finance, healthcare, and government institutions prevalent in Europe. Although no active exploits are known, the vulnerability lowers the barrier for attackers conducting reconnaissance, increasing the likelihood of follow-on attacks.

European organizations should immediately upgrade Apache Superset to version 4.1.3 or later, where this vulnerability is fixed. If upgrading is not immediately feasible, organizations should disable guest user access or restrict it through network segmentation and access controls to trusted users only. Implement API response filtering or proxy solutions to remove or mask the 'query' field in /chart/data responses for guest users. Conduct thorough audits of Superset configurations to ensure minimal exposure of sensitive information. Additionally, monitor logs for unusual access patterns to the /chart/data endpoint by guest users. Incorporate this vulnerability into vulnerability management and patching workflows to ensure timely updates. Finally, educate developers and administrators about the risks of exposing internal queries and enforce secure coding and configuration practices for BI tools.