PT-2026-21682 · Postgresql Global Development Group+1 · Postgresql+1

Trung Đức Lê

·

Publicado

2026-02-24

·

Atualizado

2026-03-02

·

CVE-2026-23984

CVSS v4.0

7.1

Alta

VetorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Apache Superset versions prior to 6.0.0
Description An issue exists in Apache Superset where an authenticated user with SQLLab access can bypass the read-only verification check when using a PostgreSQL database connection. The system does not detect specially crafted SQL statements that contain Data Manipulation Language (DML) commands, such as INSERT, UPDATE, and DELETE, on connections configured as read-only. The vulnerable component is the read-only verification process within SQLLab.
Recommendations Upgrade to version 6.0.0 to resolve the issue.

Correção

Incorrect Authorization

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-863CWE-200

Identificadores relacionados

BIT-SUPERSET-2026-23984
CVE-2026-23984
GHSA-MWF2-QR4V-94H2

Produtos afetados

Apache Superset
Postgresql