Apache Superset vulnerabilities

CVE-2026-23982 [HIGH] CWE-863 CVE-2026-23982: An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker with permissions to write datasets and read charts can bypass these checks b

CVE-2026-23984 [HIGH] CWE-863 CVE-2026-23984: An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated us An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection. While the system effectively blocks standard Data Manipulation Language (DML) statements (e.g., INSERT, UPDATE, DELETE) on read-only connection

CVE-2026-23969 [MEDIUM] CWE-89 CVE-2026-23969: Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execut Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the ClickHouse engine was incomplete. This issue affect

CVE-2026-23980 [MEDIUM] CWE-89 CVE-2026-23980: Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters. This issue affects Apache Superset: before 6.0.0. Users are recommended to upgrade to version 6.0.0, which

CVE-2026-23983 [LOW] CWE-200 CVE-2026-23983: A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to re A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabled by default) allows users to retrieve a list of objects associated with a specific tag. When these associated objects include Users, the API response improperly serializes and returns sensitive

CVE-2025-55672 [MEDIUM] CWE-80 CVE-2025-55672: A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. A A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's browser when they hover over the chart, potentially leading to session hi

CVE-2025-55673 [MEDIUM] CWE-200 CVE-2025-55673: When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoin When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privileged guest user. This issue affects Apache Superset: before 4.1.3. Users

CVE-2025-55675 [MEDIUM] CWE-285 CVE-2025-55675: Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missin Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of protec

CVE-2025-55674 [MEDIUM] CWE-89 CVE-2025-55674: A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the executio A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leading to the disclosure of sensitive database informatio

CVE-2025-48912 [HIGH] CWE-89 CVE-2025-48912: An authenticated malicious actor using specially crafted requests could bypass row level security co An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields. This allowed the execution of sub-queries to evade parsing defenses ultimately granting unauthorized access to data. This issue affects Apache Superset: before 4.1.2. Users are recommended to up

CVE-2025-27696 [MEDIUM] CWE-863 CVE-2025-27696: Incorrect Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, ch Incorrect Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions. This issue affects Apache Superset: through 4.1.1. Users are recommended to upgrade to version 4.1.2 or above, which fixes the issue.

CVE-2024-55633 [HIGH] CWE-863 CVE-2024-55633: Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database connections and postgres analytics database connections set with a readonly u

CVE-2024-53949 [HIGH] CWE-863 CVE-2024-53949: Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabl Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege users to use this API. issue affects Apache Superset: from 2.0.0 before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue.

CVE-2024-53948 [MEDIUM] CWE-209 CVE-2024-53948: Generation of Error Message Containing analytics metadata Information in Apache Superset. This issu Generation of Error Message Containing analytics metadata Information in Apache Superset. This issue affects Apache Superset: before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue.

CVE-2024-53947 [LOW] CVE-2024-53947: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. This issue is a follow-up to CVE-2024-39887 with additional disallowed PostgreSQL functions now included: qu

CVE-2024-39887 [MEDIUM] CWE-89 CVE-2024-39887: An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special e An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate this, a new configuration key named DISALLOWED_SQL_FUNCTIONS has been intro

CVE-2024-34693 [MEDIUM] CWE-20 CVE-2024-34693: Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. If both the MariaDB server (off by default) and the local mysql client on the web server are set to allow for local infile, it's possible for the attacker to execute a specific MySQL/MariaDB SQL com

CVE-2024-28148 [MEDIUM] CWE-863 CVE-2024-28148: An authenticated user could potentially access metadata for a datasource they are not authorized to An authenticated user could potentially access metadata for a datasource they are not authorized to view by submitting a targeted REST API request.This issue affects Apache Superset: before 3.1.2. Users are recommended to upgrade to version 3.1.2 or above, which fixes the issue.

CVE-2024-24773 [MEDIUM] CWE-863 CVE-2024-24773: Improper parsing of nested SQL statements on SQLLab would allow authenticated users to surpass their Improper parsing of nested SQL statements on SQLLab would allow authenticated users to surpass their data authorization scope. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1, which fixes the issue.

CVE-2024-24779 [MEDIUM] CWE-863 CVE-2024-24779: Apache Superset with custom roles that include `can write on dataset` and without all data access pe Apache Superset with custom roles that include `can write on dataset` and without all data access permissions, allows for users to create virtual datasets to data they don't have access to. These users could then use those virtual datasets to get access to unauthorized data. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.