Apache · Apache Superset · CVE-2026-23969
**Name of the Vulnerable Software and Affected Versions**
Apache Superset versions prior to 4.1.2
**Description**
Apache Superset uses a configurable dictionary, `DISALLOWED SQL FUNCTIONS`, to limit the execution of potentially sensitive SQL functions in SQL Lab and charts. A flaw exists because the default list for the ClickHouse engine was not comprehensive, allowing potentially harmful SQL functions to be executed.
**Recommendations**
Upgrade to version 4.1.2 to resolve the issue.