Apache Superset: SQLLab Read-Only Bypass on PostgreSQL
Description
An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection. While the system effectively blocks standard Data Manipulation Language (DML) statements (e.g., INSERT, UPDATE, DELETE) on read-only connections, it fails to detect them in specially crafted SQL statements.
This issue affects Apache Superset: before 6.0.0.
Users are recommended to upgrade to version 6.0.0, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users with SQLLab access can bypass read-only database checks in Apache Superset on PostgreSQL connections using crafted SQL statements.
Overview
An improper input validation vulnerability in Apache Superset allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection [1][3]. While the system effectively blocks standard DML statements (INSERT, UPDATE, DELETE) on read-only connections, it fails to detect them in specially crafted SQL statements [1].
Exploitation
An attacker must be authenticated and have access to SQLLab. By crafting SQL statements that evade the input validation, the attacker can execute DML operations on a PostgreSQL database that is configured as read-only [3].
Impact
Successful exploitation allows the attacker to modify data in the PostgreSQL database, potentially leading to data corruption or unauthorized changes [1].
Mitigation
The vulnerability affects Apache Superset versions before 6.0.0. Users are recommended to upgrade to version 6.0.0, which fixes the issue [1][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-supersetPyPI | < 6.0.0 | 6.0.0 |
Affected products
2- Apache Software Foundation/Apache Supersetv5Range: 0.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-mwf2-qr4v-94h2ghsaADVISORY
- lists.apache.org/thread/72cmgxtvp9pclto4ln1chbs1227nwd26ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-23984ghsaADVISORY
- www.openwall.com/lists/oss-security/2026/02/24/8ghsaWEB
News mentions
0No linked articles in our index yet.