Total
68 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-23969 | 1 Apache | 1 Superset | 2026-02-26 | N/A | 6.5 MEDIUM |
| Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the ClickHouse engine was incomplete. This issue affects Apache Superset: before 4.1.2. Users are recommended to upgrade to version 4.1.2, which fixes the issue. | |||||
| CVE-2026-23984 | 1 Apache | 1 Superset | 2026-02-26 | N/A | 6.5 MEDIUM |
| An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection. While the system effectively blocks standard Data Manipulation Language (DML) statements (e.g., INSERT, UPDATE, DELETE) on read-only connections, it fails to detect them in specially crafted SQL statements. This issue affects Apache Superset: before 6.0.0. Users are recommended to upgrade to version 6.0.0, which fixes the issue. | |||||
| CVE-2023-27524 | 1 Apache | 1 Superset | 2026-02-26 | N/A | 8.9 HIGH |
| Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config. All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your `superset_config.py` file like: SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY> Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable. | |||||
| CVE-2026-23982 | 1 Apache | 1 Superset | 2026-02-25 | N/A | 6.5 MEDIUM |
| An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker with permissions to write datasets and read charts can bypass these checks by overwriting the SQL query of an existing dataset. This issue affects Apache Superset: before 6.0.0. Users are recommended to upgrade to version 6.0.0, which fixes the issue. | |||||
| CVE-2026-23983 | 1 Apache | 1 Superset | 2026-02-25 | N/A | 6.5 MEDIUM |
| A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabled by default) allows users to retrieve a list of objects associated with a specific tag. When these associated objects include Users, the API response improperly serializes and returns sensitive fields, including password hashes (pbkdf2), email addresses, and login statistics. This vulnerability allows authenticated users with low privileges (e.g., Gamma role) to view sensitive authentication data This issue affects Apache Superset: before 6.0.0. Users are recommended to upgrade to version 6.0.0, which fixes the issue or make sure TAGGING_SYSTEM is False (Apache Superset current default) | |||||
| CVE-2026-23980 | 1 Apache | 1 Superset | 2026-02-25 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters. This issue affects Apache Superset: before 6.0.0. Users are recommended to upgrade to version 6.0.0, which fixes the issue. | |||||
| CVE-2025-55675 | 1 Apache | 1 Superset | 2025-11-04 | N/A | 6.5 MEDIUM |
| Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to sensitive information disclosure. This issue affects Apache Superset: before 5.0.0. Users are recommended to upgrade to version 5.0.0, which fixes the issue. | |||||
| CVE-2025-55674 | 1 Apache | 1 Superset | 2025-11-04 | N/A | 6.5 MEDIUM |
| A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leading to the disclosure of sensitive database information like the software version. This issue affects Apache Superset: before 5.0.0. Users are recommended to upgrade to version 5.0.0, which fixes the issue. | |||||
| CVE-2025-55673 | 1 Apache | 1 Superset | 2025-11-04 | N/A | 4.3 MEDIUM |
| When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privileged guest user. This issue affects Apache Superset: before 4.1.3. Users are recommended to upgrade to version 4.1.3, which fixes the issue. | |||||
| CVE-2025-55672 | 1 Apache | 1 Superset | 2025-11-04 | N/A | 5.4 MEDIUM |
| A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's browser when they hover over the chart, potentially leading to session hijacking or the execution of arbitrary commands on behalf of the user. This issue affects Apache Superset: before 5.0.0. Users are recommended to upgrade to version 5.0.0, which fixes the issue. | |||||
| CVE-2025-27696 | 1 Apache | 1 Superset | 2025-09-29 | N/A | 8.8 HIGH |
| Incorrect Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions. This issue affects Apache Superset: through 4.1.1. Users are recommended to upgrade to version 4.1.2 or above, which fixes the issue. | |||||
| CVE-2024-53947 | 1 Apache | 1 Superset | 2025-07-15 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. This issue is a follow-up to CVE-2024-39887 with additional disallowed PostgreSQL functions now included: query_to_xml_and_xmlschema, table_to_xml, table_to_xml_and_xmlschema. This issue affects Apache Superset: <4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue or add these Postgres functions to the config set DISALLOWED_SQL_FUNCTIONS. | |||||
| CVE-2025-48912 | 1 Apache | 1 Superset | 2025-06-04 | N/A | 6.5 MEDIUM |
| An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields. This allowed the execution of sub-queries to evade parsing defenses ultimately granting unauthorized access to data. This issue affects Apache Superset: before 4.1.2. Users are recommended to upgrade to version 4.1.2, which fixes the issue. | |||||
| CVE-2022-41703 | 1 Apache | 1 Superset | 2025-04-08 | N/A | 5.4 MEDIUM |
| A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag "ALLOW_ADHOC_SUBQUERY" disabled (default value). This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. | |||||
| CVE-2022-43718 | 1 Apache | 1 Superset | 2025-04-07 | N/A | 5.4 MEDIUM |
| Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. | |||||
| CVE-2022-45438 | 1 Apache | 1 Superset | 2025-04-07 | N/A | 5.3 MEDIUM |
| When explicitly enabling the feature flag DASHBOARD_CACHE (disabled by default), the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. | |||||
| CVE-2022-43721 | 1 Apache | 1 Superset | 2025-04-07 | N/A | 5.4 MEDIUM |
| An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. | |||||
| CVE-2022-43720 | 1 Apache | 1 Superset | 2025-04-07 | N/A | 5.4 MEDIUM |
| An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. | |||||
| CVE-2022-43719 | 1 Apache | 1 Superset | 2025-04-07 | N/A | 8.8 HIGH |
| Two legacy REST API endpoints for approval and request access are vulnerable to cross site request forgery. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. | |||||
| CVE-2022-43717 | 1 Apache | 1 Superset | 2025-04-04 | N/A | 5.4 MEDIUM |
| Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. | |||||