PyPI package
apache-superset
pkg:pypi/apache-superset
Vulnerabilities (67)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-23969 | — | < 4.1.2 | 4.1.2 | Feb 24, 2026 | Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the d | ||
| CVE-2026-23980 | — | < 6.0.0 | 6.0.0 | Feb 24, 2026 | Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters. This issue affects Apache Superset: | ||
| CVE-2026-23982 | — | < 6.0.0 | 6.0.0 | Feb 24, 2026 | An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker wi | ||
| CVE-2026-23983 | — | < 6.0.0 | 6.0.0 | Feb 24, 2026 | A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabled by default) allows users to retrieve a list of objects associated with a specific tag. When these associated objects i | ||
| CVE-2026-23984 | — | < 6.0.0 | 6.0.0 | Feb 24, 2026 | An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection. While the system effectively blocks standard Data Manipulation Languag | ||
| CVE-2025-55675 | — | < 5.0.0 | 5.0.0 | Aug 14, 2025 | Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, | ||
| CVE-2025-55674 | — | < 5.0.0 | 5.0.0 | Aug 14, 2025 | A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to | ||
| CVE-2025-55672 | — | < 5.0.0 | 5.0.0 | Aug 14, 2025 | A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's b | ||
| CVE-2025-55673 | — | < 4.1.3.post1 | 4.1.3.post1 | Aug 14, 2025 | When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privilege | ||
| CVE-2025-48912 | — | < 4.1.2 | 4.1.2 | May 30, 2025 | An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields. This allowed the execution of sub-queries to evade parsing defenses ultimately granting unauthorized access to data. This | ||
| CVE-2025-27696 | — | < 4.1.2 | 4.1.2 | May 13, 2025 | Incorrect Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions. This issue affects Apache Superset: through 4.1.1. Users are recommended to upgrade to version 4.1.2 or above, whic | ||
| CVE-2024-55633 | — | < 4.1.0 | 4.1.0 | Dec 12, 2024 | Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database con | ||
| CVE-2024-53949 | — | >= 2.0.0, < 4.1.0 | 4.1.0 | Dec 9, 2024 | Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege users to use this API. issue affects Apache Superset: from 2.0.0 before 4.1.0. Users are recommended to upgrade to version 4.1.0, whic | ||
| CVE-2024-53948 | — | < 4.1.0 | 4.1.0 | Dec 9, 2024 | Generation of Error Message Containing analytics metadata Information in Apache Superset. This issue affects Apache Superset: before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue. | ||
| CVE-2024-53947 | — | < 4.1.0 | 4.1.0 | Dec 9, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. This issue is a follow-up | ||
| CVE-2024-39887 | — | < 4.0.2 | 4.0.2 | Jul 16, 2024 | An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate thi | ||
| CVE-2024-34693 | — | < 3.1.3 | 3.1.3 | Jun 20, 2024 | Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. If both the MariaDB server (off by default) and the local mysql client on the web server are set to allow for local infile, i | ||
| CVE-2024-28148 | — | < 3.1.2 | 3.1.2 | May 7, 2024 | An authenticated user could potentially access metadata for a datasource they are not authorized to view by submitting a targeted REST API request.This issue affects Apache Superset: before 3.1.2. Users are recommended to upgrade to version 3.1.2 or above, which fixes the issue. | ||
| CVE-2024-26016 | — | < 3.0.4 | 3.0.4 | Feb 28, 2024 | A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it's important to note that access to the analytical data of these charts and dashboards | ||
| CVE-2024-24779 | — | < 3.0.4 | 3.0.4 | Feb 28, 2024 | Apache Superset with custom roles that include `can write on dataset` and without all data access permissions, allows for users to create virtual datasets to data they don't have access to. These users could then use those virtual datasets to get access to unauthorized data. This |
- CVE-2026-23969Feb 24, 2026affected < 4.1.2fixed 4.1.2
Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the d
- CVE-2026-23980Feb 24, 2026affected < 6.0.0fixed 6.0.0
Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters. This issue affects Apache Superset:
- CVE-2026-23982Feb 24, 2026affected < 6.0.0fixed 6.0.0
An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker wi
- CVE-2026-23983Feb 24, 2026affected < 6.0.0fixed 6.0.0
A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabled by default) allows users to retrieve a list of objects associated with a specific tag. When these associated objects i
- CVE-2026-23984Feb 24, 2026affected < 6.0.0fixed 6.0.0
An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection. While the system effectively blocks standard Data Manipulation Languag
- CVE-2025-55675Aug 14, 2025affected < 5.0.0fixed 5.0.0
Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL,
- CVE-2025-55674Aug 14, 2025affected < 5.0.0fixed 5.0.0
A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to
- CVE-2025-55672Aug 14, 2025affected < 5.0.0fixed 5.0.0
A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's b
- CVE-2025-55673Aug 14, 2025affected < 4.1.3.post1fixed 4.1.3.post1
When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privilege
- CVE-2025-48912May 30, 2025affected < 4.1.2fixed 4.1.2
An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields. This allowed the execution of sub-queries to evade parsing defenses ultimately granting unauthorized access to data. This
- CVE-2025-27696May 13, 2025affected < 4.1.2fixed 4.1.2
Incorrect Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions. This issue affects Apache Superset: through 4.1.1. Users are recommended to upgrade to version 4.1.2 or above, whic
- CVE-2024-55633Dec 12, 2024affected < 4.1.0fixed 4.1.0
Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database con
- CVE-2024-53949Dec 9, 2024affected >= 2.0.0, < 4.1.0fixed 4.1.0
Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege users to use this API. issue affects Apache Superset: from 2.0.0 before 4.1.0. Users are recommended to upgrade to version 4.1.0, whic
- CVE-2024-53948Dec 9, 2024affected < 4.1.0fixed 4.1.0
Generation of Error Message Containing analytics metadata Information in Apache Superset. This issue affects Apache Superset: before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue.
- CVE-2024-53947Dec 9, 2024affected < 4.1.0fixed 4.1.0
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. This issue is a follow-up
- CVE-2024-39887Jul 16, 2024affected < 4.0.2fixed 4.0.2
An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate thi
- CVE-2024-34693Jun 20, 2024affected < 3.1.3fixed 3.1.3
Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. If both the MariaDB server (off by default) and the local mysql client on the web server are set to allow for local infile, i
- CVE-2024-28148May 7, 2024affected < 3.1.2fixed 3.1.2
An authenticated user could potentially access metadata for a datasource they are not authorized to view by submitting a targeted REST API request.This issue affects Apache Superset: before 3.1.2. Users are recommended to upgrade to version 3.1.2 or above, which fixes the issue.
- CVE-2024-26016Feb 28, 2024affected < 3.0.4fixed 3.0.4
A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it's important to note that access to the analytical data of these charts and dashboards
- CVE-2024-24779Feb 28, 2024affected < 3.0.4fixed 3.0.4
Apache Superset with custom roles that include `can write on dataset` and without all data access permissions, allows for users to create virtual datasets to data they don't have access to. These users could then use those virtual datasets to get access to unauthorized data. This
Page 1 of 4