CVE Number: CVE-2026-23983 Vulnerability: Sensitive Data Exposure via REST API (disabled by default) Software: Apache Superset Severity: Not specified Affected Versions: Apache Superset 0.0.0 before 6.0.0 Description: An authenticated user can retrieve sensitive user information through the Tag endpoint (disabled by default). This vulnerability allows authorized users with low privileges to access sensitive data such as password hashes, email addresses, and login statistics. Recommendations: Upgrade to version 6.0.0 or ensure is set to False (the current default in Apache Superset). Credit: Reported by Krzysztof Maurek, remediation by Daniel Gaspar References: - Apache Superset - CVE Entry