Apache Superset: Rogue Users Can Bypass Read-Only Settings

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.1

Apache Superset: Rogue Users Can Bypass Read-Only Settings

CVE-2026-23984 GHSA-mwf2-qr4v-94h2

Summary

A security hole in Apache Superset lets users with SQL editing access bypass read-only settings in PostgreSQL connections. This is a risk for any organization using Apache Superset with a PostgreSQL database, especially those who rely on read-only access for certain users. Update to version 6.0.0 to fix this issue.

What to do

Update apache-superset to version 6.0.0.

Affected software

Vendor	Product	Affected versions	Fix available
–	apache-superset	<= 6.0.0	6.0.0
apache	superset	<= 6.0.0	–

Original title

Apache Superset: Read-Only Bypass via Improper Input Validation on PostgreSQL Connections

Original description

An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection.
While the system effectively blocks standard Data Manipulation Language (DML) statements (e.g., INSERT, UPDATE, DELETE) on read-only connections, it fails to detect them in specially crafted SQL statements.

This issue affects Apache Superset: before 6.0.0.

Users are recommended to upgrade to version 6.0.0, which fixes the issue.

nvd CVSS3.1 6.5

nvd CVSS4.0 7.1

Vulnerability type

CWE-863 Incorrect Authorization

CWE-200 Information Exposure

https://lists.apache.org/thread/72cmgxtvp9pclto4ln1chbs1227nwd26 Mailing List
http://www.openwall.com/lists/oss-security/2026/02/24/8 Mailing List Third Party Advisory
https://nvd.nist.gov/vuln/detail/CVE-2026-23984
https://github.com/advisories/GHSA-mwf2-qr4v-94h2

Published: 24 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026