CVE-2025-48912

Name of the Vulnerable Software and Affected Versions Apache Superset versions prior to 4.1.2

Description An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into sqlExpression fields. This allowed the execution of sub-queries to evade parsing defenses, ultimately granting unauthorized access to data.

Recommendations For Apache Superset versions prior to 4.1.2, update to version 4.1.2 to resolve the issue. As a temporary workaround, consider restricting access to the sqlExpression fields to minimize the risk of exploitation.