Ddos 
A serious security vulnerability has been discovered in Apache Superset, a widely used open-source data exploration and visualization platform. The flaw exposes sensitive datasets to unauthorized access by allowing authenticated attackers to bypass row-level security (RLS) controls via a SQL injection attack.
Apache Superset is increasingly adopted by data-driven teams seeking to replace traditional business intelligence (BI) tools with open-source alternatives. However, this vulnerability places enterprise data at risk, particularly for those organizations that depend on RLS to enforce fine-grained access control.
“An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into ‘sqlExpression’ fields,” Apache explained in its advisory.
Tracked as CVE-2025-48912, the vulnerability stems from improper sanitization of the sqlExpression fields within row-level security policies. An attacker with authentication can inject sub-queries into this field, effectively evading parser-level protections and accessing data outside their authorized scope.
Users running vulnerable versions of Superset are strongly urged to upgrade immediately to version 4.1.2, which includes the necessary patch to mitigate this issue.
Related Posts:
- Multi Vulnerabilities Found in Apache Superset
- Apache Superset Patches Multi Security Flaws in Latest Release
- Critical Vulnerabilities Found in Apache Superset: Upgrade Urged
- CVE-2024-55633: Apache Superset Vulnerability Exposes Sensitive Data to Unauthorized Modification
- CVE-2024-34693: Apache Superset Arbitrary File Read Vulnerability, PoC Published
Donate