apache-superset is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability exists due to the use of the HTTP GET method for the legacy REST API endpoints in the request_access
and approve
functions of core.py
, allowing an attacker to redirect to the malicious URL through the GET request.