Moderate severityNVD Advisory· Published Feb 24, 2026· Updated Feb 24, 2026
Apache Superset: Exposure of Sensitive Information via Incomplete ClickHouse Function Filtering
CVE-2026-23969
Description
Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the ClickHouse engine was incomplete.
This issue affects Apache Superset: before 4.1.2.
Users are recommended to upgrade to version 4.1.2, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-supersetPyPI | < 4.1.2 | 4.1.2 |
Affected products
3- osv-coords2 versions
< 4.1.2+ 1 more
- (no CPE)range: < 4.1.2
- (no CPE)range: < 4.1.2
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-48m2-v2r8-h23mghsaADVISORY
- lists.apache.org/thread/2q22sp4oj3krcgdkxchhtht0vgwp2wndghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-23969ghsaADVISORY
- www.openwall.com/lists/oss-security/2026/02/24/4ghsaWEB
News mentions
0No linked articles in our index yet.