PT-2026-21678 · Apache · Apache Superset
Daniel Gaspar
+1
·
Published
2026-02-24
·
Updated
2026-03-02
·
CVE-2026-23969
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Superset versions prior to 4.1.2
Description
Apache Superset uses a configurable dictionary,
DISALLOWED SQL FUNCTIONS, to limit the execution of potentially sensitive SQL functions in SQL Lab and charts. A flaw exists because the default list for the ClickHouse engine was not comprehensive, allowing potentially harmful SQL functions to be executed.Recommendations
Upgrade to version 4.1.2 to resolve the issue.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Superset