18 matches found
BIT-SUPERSET-2026-23984 Apache Superset: SQLLab Read-Only Bypass on PostgreSQL
An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection. While the system effectively blocks standard Data Manipulation Language DML statements...
GHSA-MWF2-QR4V-94H2 Apache Superset: Read-Only Bypass via Improper Input Validation on PostgreSQL Connections
An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection. While the system effectively blocks standard Data Manipulation Language DML statements...
Incorrect Authorization
Overview apache-superset is a modern, enterprise-ready business intelligence web application. Affected versions of this package are vulnerable to Incorrect Authorization in the PostgreSQL database connection for SQLLab. An attacker can perform unauthorized data modification by submitting speciall...
CVE-2026-23984
An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection. While the system effectively blocks standard Data Manipulation Language DML statements...
EUVD-2026-8479
Apache Superset utilizes a configurable dictionary, DISALLOWEDSQLFUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the...
CVE-2026-23984 Apache Superset: SQLLab Read-Only Bypass on PostgreSQL
An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection. While the system effectively blocks standard Data Manipulation Language DML statements...
EUVD-2026-8475
An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection. While the system effectively blocks standard Data Manipulation Language DML statements...
PT-2026-21678
Name of the Vulnerable Software and Affected Versions Apache Superset versions prior to 4.1.2 Description Apache Superset uses a configurable dictionary, DISALLOWED SQL FUNCTIONS, to limit the execution of potentially sensitive SQL functions in SQL Lab and charts. A flaw exists because the defaul...
PT-2026-21682
Name of the Vulnerable Software and Affected Versions Apache Superset versions prior to 6.0.0 Description An issue exists in Apache Superset where an authenticated user with SQLLab access can bypass the read-only verification check when using a PostgreSQL database connection. The system does not...
GHSA-FXGF-3XH6-M2PP Apache Superset has bypass of `DISALLOWED_SQL_FUNCTIONS` that allows execution of blocked SQL functions
A bypass of the DISALLOWEDSQLFUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leadi...
CVE-2025-55674
CVE-2025-55674 affects Apache Superset up to version 5.0.0. The issue is a bypass of the DISALLOWED_SQL_FUNCTIONS denylist, allowing a user with SQL Lab access to execute blocked SQL functions and disclose sensitive information (e.g., software version). The publicly stated remediation is to upgra...
Improper Authorization
Overview apache-superset is a modern, enterprise-ready business intelligence web application. Affected versions of this package are vulnerable to Improper Authorization through the SQLLab component. An attacker can execute unauthorized write operations by crafting a specially designed SQL DML...
Apache Superset 安全漏洞
Apache Superset is a data visualization and data exploration platform from the Apache USA Foundation. A security vulnerability exists in Apache Superset versions prior to 4.1.0 that stems from improper authorization, which allows an attacker with SQLLab access to construct specially crafted SQL D...
PT-2024-20551 · Apache · Apache Superset
Name of the Vulnerable Software and Affected Versions: Apache Superset versions prior to 3.0.4 Apache Superset versions 3.1.0 through 3.1.0 Description: The issue is related to the improper parsing of nested SQL statements on SQLLab, allowing authenticated users to surpass their data authorizatio...
GHSA-F678-J579-4XF5 Apache Superset - Elevation of Privilege
Overview An attacker with access to the SQL Lab and the abuser and abuserrole tables can elevate his privileges to become administrator. Details On a more general level, diverse tables who are supposed to be only readable can be modified using the WITH … AS and RETURNING keywords. Modification of...
PT-2023-23948 · Apache · Apache Superset
Name of the Vulnerable Software and Affected Versions: Apache Superset versions up to and including 2.1.0 Description: The issue is related to an incorrect authorization check in SQLLab, allowing an authenticated user to query tables they do not have proper access to. This can be exploited by...
CVE-2019-12414
In Apache Incubator Superset before 0.32, a user can view database names that he has no access to on a dropdown list in SQLLab...
PYSEC-2019-173
In Apache Incubator Superset before 0.32, a user can view database names that he has no access to on a dropdown list in SQLLab...