Apache Superset: Improper Authorization in Dataset Creation Allows Access Control Bypass
Description
An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker with permissions to write datasets and read charts can bypass these checks by overwriting the SQL query of an existing dataset.
This issue affects Apache Superset: before 6.0.0.
Users are recommended to upgrade to version 6.0.0, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-23982: Apache Superset before 6.0.0 allows dataset SQL overwrite to bypass data access controls.
Root
Cause
An improper authorization vulnerability (CVE-2026-23982) exists in Apache Superset. The bug lies in the dataset creation workflow: while permission checks are enforced when creating a new dataset from scratch, they are not properly revalidated when an existing dataset's SQL query is overwritten [1][3]. This oversight allows an attacker to replace the query with one that accesses unauthorized data sources or tables.
Exploitation
Prerequisites
To exploit this flaw, an attacker must be authenticated to the Superset instance and possess the "write datasets" and "read charts" permissions. No administrative privileges are required [1][3]. The attacker can then edit the SQL query of an existing dataset they have access to, effectively repurposing that dataset to query arbitrary tables or databases that the Superset backend can reach.
Impact
A successful attack bypasses the intended data access controls, enabling a low-privileged user to read sensitive information from any database that Superset is configured to connect to [1][3]. The attacker gains the ability to extract confidential data stored in otherwise restricted tables, potentially leading to a severe data breach.
Mitigation
The vulnerability affects all Apache Superset versions prior to 6.0.0. The fix is included in version 6.0.0 [1][3]. Users are strongly advised to upgrade to 6.0.0 or later. No workarounds have been published.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-supersetPyPI | < 6.0.0 | 6.0.0 |
Affected products
2- Apache Software Foundation/Apache Supersetv5Range: 0.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-3m2g-v7jf-7fxcghsaADVISORY
- lists.apache.org/thread/9lvbzwkw4rxgdvbpfvnnnfcll92v75fpghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-23982ghsaADVISORY
- www.openwall.com/lists/oss-security/2026/02/24/6ghsaWEB
News mentions
2- TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook WormsThe Hacker News · May 8, 2026
- Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17)Unit 42 · Apr 17, 2026