*Overview*: Apache Superset utilizes Flask to handle user sessions. When users log in to Apache Superset, their browser receives a session cookie named session, and when they log out, their session is removed from their browsers.
If a session cookie is leaked to a malicious actor, this session can still be used even after user logout. *Affected Versions* Apache Superset < 3.1.0 *Recommendations*: Apache Superset 3.1.0 Introduced the capability to utilize server-side sessions, this feature is disabled by default but can be enabled in the configuration by setting `SESSION_SERVER_SIDE = True` More details on: https://superset.apache.org/docs/security/#switching-to-server-side-sessions *Acknowledgments*: We would like to thank Amit Laish (GE Vernova) for responsibly reporting this vulnerability. Best Regards, Daniel Gaspar / Apache Superset PMC
