Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Apache Superset: Privileged Users Can Execute Unauthorized Queries
CVE-2026-23980
GHSA-gvxg-9hqx-f4rg
Summary
A security issue in Apache Superset, a business intelligence platform, allows authorized users to potentially access sensitive data. This issue affects Apache Superset versions before 6.0.0. To fix it, update to version 6.0.0.
What to do
- Update apache-superset to version 6.0.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | apache-superset | <= 6.0.0 | 6.0.0 |
| apache | superset | <= 6.0.0 | – |
Original title
Apache Superset allows privileged users to conduct error-based SQL Injection
Original description
Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters.
This issue affects Apache Superset: before 6.0.0.
Users are recommended to upgrade to version 6.0.0, which fixes the issue.
This issue affects Apache Superset: before 6.0.0.
Users are recommended to upgrade to version 6.0.0, which fixes the issue.
nvd CVSS3.1
6.5
nvd CVSS4.0
5.3
Vulnerability type
CWE-89
SQL Injection
- https://nvd.nist.gov/vuln/detail/CVE-2026-23980
- https://github.com/advisories/GHSA-gvxg-9hqx-f4rg
- https://lists.apache.org/thread/h4l02zw1pr2vywv0dc5zjn3grdcdhwf4 Mailing List Vendor Advisory
- http://www.openwall.com/lists/oss-security/2026/02/24/5 Mailing List Third Party Advisory
Published: 24 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026