Mingyu Son

**Name of the Vulnerable Software and Affected Versions** Apache Superset versions 1.5.2 and prior Apache Superset version 2.0.0 **Description** A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag `ALLOW ADHOC SUBQUERY` disabled. **Recommendations** For Apache Superset versions 1.5.2 and prior, consider disabling the SQL Alchemy connector until a patch is available. For Apache Superset version 2.0.0, consider disabling the SQL Alchemy connector until a patch is available. As a temporary workaround, consider restricting access to the `WHERE` and `HAVING` fields in the SQL Alchemy connector to minimize the risk of exploitation.