Apache Superset: Improper Neutralization of Special Elements used in a SQL Command
Description
Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters.
This issue affects Apache Superset: before 6.0.0.
Users are recommended to upgrade to version 6.0.0, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users with read access can perform error-based SQL injection in Apache Superset via the sqlExpression or where parameters, fixed in version 6.0.0.
Overview
CVE-2026-23980 describes an improper neutralization of special elements used in a SQL command (SQL injection) vulnerability in Apache Superset. The flaw exists because user-supplied input passed through the sqlExpression or where parameters is not properly sanitized before being incorporated into database queries. This allows an authenticated attacker with read access to inject malicious SQL statements that are executed by the backend database server [1][3].
Exploitation
An attacker must be an authenticated user of Apache Superset with at least read privileges. The attack is performed by crafting a specially formed request that includes dangerous SQL syntax in either the sqlExpression or where parameters. Since these parameters are used directly in constructing SQL queries without proper neutralization, the injected code becomes part of the query execution context. The vulnerability is classified as error-based SQL injection, meaning the attacker can extract information through error messages returned by the database [1][3].
Impact
Successful exploitation enables the attacker to view, modify, or delete data in the underlying database that the application connects to. Depending on the database user's privileges, the attacker may also be able to execute administrative operations, potentially leading to a full compromise of the database. The confidentiality, integrity, and availability of the data managed by Superset are all at risk [1].
Mitigation
Apache Software Foundation has released version 6.0.0 of Apache Superset, which remediates the vulnerability by properly escaping and parameterizing input to the affected parameters. Users must upgrade to version 6.0.0 or later. There are no workarounds available [1][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-supersetPyPI | < 6.0.0 | 6.0.0 |
Affected products
2- Apache Software Foundation/Apache Supersetv5Range: 0.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-gvxg-9hqx-f4rgghsaADVISORY
- lists.apache.org/thread/h4l02zw1pr2vywv0dc5zjn3grdcdhwf4ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-23980ghsaADVISORY
- www.openwall.com/lists/oss-security/2026/02/24/5ghsaWEB
News mentions
2- TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook WormsThe Hacker News · May 8, 2026
- Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17)Unit 42 · Apr 17, 2026