Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
Apache Superset allows low-privileged users to access unauthorized data
CVE-2026-23982
GHSA-3m2g-v7jf-7fxc
Summary
A security weakness in Apache Superset version 6.0.0 and earlier allows a user with limited permissions to access data they shouldn't have access to. This is a concern because sensitive information might be exposed. To fix this, update to the latest version of Apache Superset, which is 6.0.0.
What to do
- Update apache-superset to version 6.0.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | apache-superset | <= 6.0.0 | 6.0.0 |
| apache | superset | <= 6.0.0 | – |
Original title
Apache Superset Improper Authorization allows low-privileged users to bypass access controls
Original description
An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker with permissions to write datasets and read charts can bypass these checks by overwriting the SQL query of an existing dataset.
This issue affects Apache Superset: before 6.0.0.
Users are recommended to upgrade to version 6.0.0, which fixes the issue.
This issue affects Apache Superset: before 6.0.0.
Users are recommended to upgrade to version 6.0.0, which fixes the issue.
nvd CVSS3.1
6.5
nvd CVSS4.0
7.1
Vulnerability type
CWE-863
Incorrect Authorization
- https://nvd.nist.gov/vuln/detail/CVE-2026-23982
- https://github.com/advisories/GHSA-3m2g-v7jf-7fxc
- https://lists.apache.org/thread/9lvbzwkw4rxgdvbpfvnnnfcll92v75fp Mailing List Vendor Advisory
- http://www.openwall.com/lists/oss-security/2026/02/24/6 Mailing List Third Party Advisory
Published: 24 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026