Apache Superset: Improper error handling on alerts
Description
An authenticated user with privileges to create Alerts on Alerts & Reports has the capability to generate a specially crafted SQL statement that triggers an error on the database. This error is not properly handled by Apache Superset and may inadvertently surface in the error log of the Alert exposing possibly sensitive data.
This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.
Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Superset improperly handles database errors from crafted alert SQL, leaking sensitive data into error logs; fixed in 3.0.4/3.1.1.
Summary
An authenticated user with privileges to create Alerts in Apache Superset can craft a malicious SQL statement to trigger a database error. Due to improper error handling, the database error may surface in the alert's error log, potentially exposing sensitive data [1][3].
Attack
Vector The vulnerability requires an authenticated user who has the privilege to create alerts via the Alerts & Reports feature. By constructing a specially crafted SQL statement that causes a database error, the user can cause the error message, which may contain sensitive information, to be logged in the alert's error log [3]. The issue lies in the lack of proper sanitization or masking of database error messages before they are stored in the application logs [1].
Impact
An attacker exploiting this vulnerability could gain access to sensitive data that is inadvertently surfaced in the error log. This could include database credentials, schema details, or other confidential information that is included in the database error response [1][3].
Mitigation
The vulnerability affects Apache Superset versions before 3.0.4 and 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.0.4 (stable) or 3.1.1 (latest) to remediate the issue [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-supersetPyPI | < 3.0.4 | 3.0.4 |
apache-supersetPyPI | >= 3.1.0, < 3.1.1 | 3.1.1 |
Affected products
3- osv-coords2 versions
< 4.1.1+ 1 more
- (no CPE)range: < 4.1.1
- (no CPE)range: < 3.0.4
- Apache Software Foundation/Apache Supersetv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-h7r6-8qmm-hj5rghsaADVISORY
- lists.apache.org/thread/qcwbx7q2s3ynsd405895bx3wcwq32j7zghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-27315ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/02/28/3ghsaWEB
News mentions
0No linked articles in our index yet.