Superset
CVE-2026-23982
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 2 pypi packages depend on apache-superset (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 6.0.0.
DescriptionCVE.org
An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker with permissions to write datasets and read charts can bypass these checks by overwriting the SQL query of an existing dataset.
This issue affects Apache Superset: before 6.0.0.
Users are recommended to upgrade to version 6.0.0, which fixes the issue.
AnalysisAI
Apache Superset before version 6.0.0 contains an authorization bypass in dataset management that allows authenticated users with write access to datasets to circumvent data access controls and query unauthorized information. An attacker can exploit this by modifying the SQL query of existing datasets to access restricted data that their role should not permit. No patch is currently available, leaving affected deployments vulnerable until upgrading to version 6.0.0.
Technical ContextAI
Classified as CWE-863 (Incorrect Authorization). Affects Superset. An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker with permissions to write datasets and read charts can bypass these checks by overwriting the SQL query of an existing dataset.
This issue affects Apache Superset: before 6.0.0.
Users are recommended to upgrade to versio
RemediationAI
Update to version 6.0.0 or later. Restrict network access to the affected service where possible.
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Rated critical severity (CVSS 9.8), th
An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL
Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to pos
If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Py
Apache Superset would allow for SQLite database connections to be incorrectly registered when an attacker uses alternati
Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. Rated high
Apache Superset before 1.4.2 is vulnerable to SQL injection in chart data requests. Rated critical severity (CVSS 9.8),
A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement would allow fo
Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allow
While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests v
In the course of work on the open source project it was discovered that authenticated users running queries against Hive
Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Rate
Same weakness CWE-863 – Incorrect Authorization
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-3m2g-v7jf-7fxc