Apache Superset: Improper SQL authorisation, parse not checking for specific postgres functions
Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. This issue is a follow-up to CVE-2024-39887 with additional disallowed PostgreSQL functions now included: query_to_xml_and_xmlschema, table_to_xml, table_to_xml_and_xmlschema.
This issue affects Apache Superset: <4.1.0.
Users are recommended to upgrade to version 4.1.0, which fixes the issue or add these Postgres functions to the config set DISALLOWED_SQL_FUNCTIONS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Superset before 4.1.0 fails to block certain PostgreSQL XML functions, allowing SQL injection via bypassed SQL authorization.
Vulnerability
Analysis
CVE-2024-53947 is a SQL injection vulnerability in Apache Superset affecting versions prior to 4.1.0. The root cause is an incomplete blocklist of dangerous PostgreSQL functions. Specifically, functions related to XML generation—query_to_xml_and_xmlschema, table_to_xml, and table_to_xml_and_xmlschema—were not included in the DISALLOWED_SQL_FUNCTIONS configuration. This oversight follows a previous fix for CVE-2024-39887, which already blocked similar functions like query_to_xml and inet_server_addr [1][3].
Exploitation
An attacker who can submit SQL queries through Apache Superset's SQL Lab or chart interfaces can supply a crafted query that invokes one of these unblocked PostgreSQL functions. No special authentication beyond normal SQL query access is required. The attacker does not need to be a database administrator; the SQL authorization bypass occurs because the engine-specific function filters are not applied [1].
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands on the connected PostgreSQL database. This can lead to unauthorized data access, data manipulation, or further database compromise, depending on the privileges of the database user configured for the Superset instance [1].
Mitigation
The Apache Superset project has released version 4.1.0, which adds the missing functions to the disallowed list [3]. Users who cannot upgrade immediately can manually add these functions (query_to_xml_and_xmlschema, table_to_xml, table_to_xml_and_xmlschema) to the DISALLOWED_SQL_FUNCTIONS configuration parameter for the PostgreSQL engine [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-supersetPyPI | < 4.1.0 | 4.1.0 |
Affected products
4- osv-coords2 versions
< 4.1.1+ 1 more
- (no CPE)range: < 4.1.1
- (no CPE)range: < 4.1.0
- Apache Software Foundation/Apache Supersetv5Range: 0
Patches
10e0028260fc8fix: add more disallowed pg functions (#29454)
1 file changed · +10 −1
superset/config.py+10 −1 modified@@ -1276,7 +1276,16 @@ def CSV_TO_HIVE_UPLOAD_DIRECTORY_FUNC( # pylint: disable=invalid-name # unsafe SQL functions in SQL Lab and Charts. The keys of the dictionary are the engine # names, and the values are sets of disallowed functions. DISALLOWED_SQL_FUNCTIONS: dict[str, set[str]] = { - "postgresql": {"version", "query_to_xml", "inet_server_addr", "inet_client_addr"}, + "postgresql": { + "database_to_xml", + "inet_client_addr", + "inet_server_addr", + "query_to_xml", + "query_to_xml_and_xmlschema", + "table_to_xml", + "table_to_xml_and_xmlschema", + "version", + }, "clickhouse": {"url"}, "mysql": {"version"}, }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-92qf-8gh3-gwcmghsaADVISORY
- lists.apache.org/thread/hj3gfsjh67vqw12nlrshlsym4bkopjmnghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-53947ghsaADVISORY
- github.com/apache/superset/commit/0e0028260fc8a2099250701524a489f3c9aa146fghsaWEB
News mentions
0No linked articles in our index yet.