CVE-2026-23984

CWE-863 — Incorrect Authorization CWE-200 — Information Exposure5 documents5 sources

Severity

7.1HIGH

EPSS

0.0%

top 86.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Superset Apache Superset

Timeline

PublishedFeb 24

Description

An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection. While the system effectively blocks standard Data Manipulation Language (DML) statements (e.g., INSERT, UPDATE, DELETE) on read-only connections, it fails to detect them in specially crafted SQL statements. This issue affects Apache Superset: before 6.0.0. Users are recommended to upgrad…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDapache/superset< 6.0.0

▶PyPIapache-superset< 6.0.0

▶CVEListV5apache_software_foundation/apache_superset0.0.0 — 6.0.0

🔴Vulnerability Details

OSV

Apache Superset: Read-Only Bypass via Improper Input Validation on PostgreSQL Connections↗2026-02-24

▶

GHSA

Apache Superset: Read-Only Bypass via Improper Input Validation on PostgreSQL Connections↗2026-02-24

▶

CVEList

Apache Superset: SQLLab Read-Only Bypass on PostgreSQL↗2026-02-24

▶

🕵️Threat Intelligence

Wiz

CVE-2026-23984 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶