Apache Superset: Privilege escalation with default examples database
Description
Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset's metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Superset before 2.1.2 allows privilege escalation via crafted CTE SQL due to improper authorization on the default examples database.
CVE-2023-40610: Apache Superset Privilege Escalation
The vulnerability is an improper authorization check in Apache Superset versions prior to 2.1.2. The default examples database connection includes access to both the examples schema and Superset's metadata database. An attacker can exploit this by sending a specially crafted Common Table Expression (CTE) SQL statement that bypasses the intended SELECT-only restriction on metadata tables. [1][3]
To exploit, an attacker needs access to SQL Lab and the ability to query the examples database. By using the WITH ... AS ... RETURNING syntax, the attacker can perform INSERT, UPDATE, or DELETE operations on tables such as ab_user and ab_user_role, which are normally read-only. [3] This can be done without needing administrative privileges.
Successful exploitation allows the attacker to create new users, modify user roles, and escalate privileges to administrator. [3] Additionally, modifying the key_value table could potentially lead to remote code execution (RCE) due to insecure deserialization. [3] This undermines the authentication and authorization mechanisms of Superset.
The vulnerability is fixed in Apache Superset version 2.1.2. [1] Users are advised to upgrade. As a workaround, administrators can restrict access to the examples database or enforce stricter database permissions. [4]
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-supersetPyPI | < 2.1.2 | 2.1.2 |
Affected products
3- osv-coords2 versions
< 2.1.2+ 1 more
- (no CPE)range: < 2.1.2
- (no CPE)range: < 2.1.2
- Apache Software Foundation/Apache Supersetv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-f678-j579-4xf5ghsaADVISORY
- lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rotghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-40610ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/11/27/2ghsaWEB
- github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5ghsaWEB
News mentions
0No linked articles in our index yet.