Postgresql Global Development Group · Postgresql · CVE-2026-23984
**Name of the Vulnerable Software and Affected Versions**
Apache Superset versions prior to 6.0.0
**Description**
An issue exists in Apache Superset where an authenticated user with SQLLab access can bypass the read-only verification check when using a PostgreSQL database connection. The system does not detect specially crafted SQL statements that contain Data Manipulation Language (DML) commands, such as INSERT, UPDATE, and DELETE, on connections configured as read-only. The vulnerable component is the read-only verification process within SQLLab.
**Recommendations**
Upgrade to version 6.0.0 to resolve the issue.