Apache Superset: ClickHouse engine SQL function restrictions not fully set

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.3

Apache Superset: ClickHouse engine SQL function restrictions not fully set

CVE-2026-23969 GHSA-48m2-v2r8-h23m

Summary

Apache Superset's ClickHouse engine had a missing restriction on certain SQL functions, which could have allowed unauthorized access to sensitive data. This affected versions of Apache Superset before 4.1.2. To fix this, update to version 4.1.2 or later.

What to do

Update apache-superset to version 4.1.2.

Affected software

Vendor	Product	Affected versions	Fix available
–	apache-superset	<= 4.1.2	4.1.2
apache	superset	<= 4.1.2	–

Original title

Apache Superset: Incomplete DISALLOWED_SQL_FUNCTIONS default list for ClickHouse engine

Original description

Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the ClickHouse engine was incomplete.

This issue affects Apache Superset: before 4.1.2.

Users are recommended to upgrade to version 4.1.2, which fixes the issue.

nvd CVSS3.1 6.5

nvd CVSS4.0 5.3

Vulnerability type

CWE-89 SQL Injection

https://nvd.nist.gov/vuln/detail/CVE-2026-23969
https://github.com/advisories/GHSA-48m2-v2r8-h23m
https://lists.apache.org/thread/2q22sp4oj3krcgdkxchhtht0vgwp2wnd Mailing List
http://www.openwall.com/lists/oss-security/2026/02/24/4 Mailing List Third Party Advisory

Published: 24 Feb 2026 · Updated: 14 Mar 2026 · First seen: 6 Mar 2026