CVE-2026-23983 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting Apache Superset, an open-source data visualization and business intelligence platform maintained by the Apache Software Foundation. The flaw exists in the Tag endpoint, which when enabled, allows users to query objects associated with specific tags. When these objects include user entities, the API response improperly serializes sensitive user data fields such as password hashes (using pbkdf2), email addresses, and login statistics. This serialization flaw enables authenticated users with low-level privileges (e.g., Gamma role) to retrieve sensitive authentication-related information that should be restricted. The vulnerability affects all versions before 6.0.0. The default configuration disables the Tag endpoint (TAGGING_SYSTEM=False), which mitigates exposure unless explicitly enabled. The issue was addressed in Apache Superset 6.0.0 by correcting the serialization behavior and restricting sensitive data exposure. The vulnerability requires authentication but no additional user interaction, and the CVSS 4.0 vector indicates network attack vector, low complexity, and low impact on confidentiality, integrity, and availability, resulting in an overall low severity rating.

The primary impact of this vulnerability is unauthorized disclosure of sensitive user information, including password hashes and email addresses, to authenticated users with minimal privileges. This exposure can facilitate further attacks such as credential cracking, phishing, or lateral movement within an organization. Although the vulnerability does not allow unauthenticated access or direct system compromise, the leakage of password hashes and login statistics can weaken overall security posture and increase risk of account takeover. Organizations relying on Apache Superset for business intelligence and data visualization may face privacy violations and compliance issues if sensitive user data is exposed. The impact is limited by the requirement for authenticated access and the default disabled state of the Tag endpoint, but environments with enabled tagging and multiple user roles are at higher risk. No known exploits are reported in the wild, reducing immediate threat but warranting proactive remediation.

To mitigate this vulnerability, organizations should upgrade Apache Superset to version 6.0.0 or later, where the issue is fixed. If upgrading is not immediately feasible, ensure the TAGGING_SYSTEM configuration is set to False, which disables the vulnerable Tag endpoint by default and prevents exposure. Review user roles and permissions to limit access to the Gamma role or other low-privilege accounts, minimizing the number of users who can exploit this flaw. Conduct audits of API usage and monitor for unusual access patterns to the Tag endpoint if enabled. Additionally, consider implementing network-level access controls to restrict access to the Superset instance and enforce strong authentication mechanisms. Regularly update and patch Apache Superset installations as part of standard security hygiene to prevent exploitation of known vulnerabilities.