Do Son 
Apache Superset is a modern data exploration and data visualization platform. Superset can replace or augment proprietary business intelligence tools for many teams. Furthermore, Superset integrates well with a variety of data sources. However, security teams managing Superset deployments need to act quickly, as a new batch of security updates addresses five distinct vulnerabilities ranging from low to high severity.
Administrators should prioritize patching two high-severity access and validation bypass vulnerabilities affecting all Superset versions before 6.0.0:
- CVE-2026-23984 (SQLLab Read-Only Bypass on PostgreSQL): An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection. While the system effectively blocks standard Data Manipulation Language (DML) statements (e.g., INSERT, UPDATE, DELETE) on read-only connections, it fails to detect them in specially crafted SQL statements.
- CVE-2026-23982 (Improper Authorization in Dataset Creation Allows Access Control Bypass): An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker with permissions to write datasets and read charts can bypass these checks by overwriting the SQL query of an existing dataset.
The update also resolves two medium-severity flaws that could lead to data exposure and injection attacks:
- CVE-2026-23980 (Improper Neutralization of Special Elements used in a SQL Command): An Improper Neutralization of Special Elements used in a SQL Command (‘SQL Injection’) vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters. This issue affects Apache Superset versions before 6.0.0.
- CVE-2026-23969 (Exposure of Sensitive Information via Incomplete ClickHouse Function Filtering): Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the ClickHouse engine was incomplete. This issue affects Apache Superset versions 0.0.0 before 4.1.2. Users are recommended to upgrade to version 4.1.2, which fixes the issue.
Finally, a low-severity data exposure flaw was addressed:
- CVE-2026-23983 (Sensitive Data Exposure via REST API): A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabled by default) allows users to retrieve a list of objects associated with a specific tag. When these associated objects include Users, the API response improperly serializes and returns sensitive fields, including password hashes (pbkdf2), email addresses, and login statistics. This vulnerability allows authenticated users with low privileges (e.g., Gamma role) to view sensitive authentication data. This issue affects Apache Superset versions 0.0.0 before 6.0.0. Users are recommended to upgrade to version 6.0.0, which fixes the issue or make sure TAGGING_SYSTEM is False (Apache Superset current default).
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
