The Apache Superset open-source data visualization software has released a fix for a vulnerability that could lead to remote code execution due to an insecure default configuration. The flaw, tracked as CVE-2023-27524, affects versions up to and including 2.0.1 and relates to the use of a default SECRET_KEY. Attackers could gain unauthorized access to internet-exposed installations that have not changed the default value of the SECRET_KEY. A fix was released in April 2023, which prevents the server from starting up altogether if it is configured with the default SECRET_KEY. A Python script is also available to check if Superset instances are susceptible to the flaw.