PT-2026-21682 · Postgresql Global Development Group+1 · Postgresql+1

Trung Đức Lê

Published

2026-02-24

Updated

2026-03-02

CVE-2026-23984

CVSS v4.0

7.1

High

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Apache Superset versions prior to 6.0.0

Description An issue exists in Apache Superset where an authenticated user with SQLLab access can bypass the read-only verification check when using a PostgreSQL database connection. The system does not detect specially crafted SQL statements that contain Data Manipulation Language (DML) commands, such as INSERT, UPDATE, and DELETE, on connections configured as read-only. The vulnerable component is the read-only verification process within SQLLab.

Recommendations Upgrade to version 6.0.0 to resolve the issue.

Fix

Incorrect Authorization

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-200

Related Identifiers

BIT-SUPERSET-2026-23984

CVE-2026-23984

GHSA-MWF2-QR4V-94H2

Affected Products

Apache Superset

Postgresql

PT-2026-21682 · Postgresql Global Development Group+1 · Postgresql+1

CVE-2026-23984

Weakness Enumeration

Related Identifiers

Affected Products

References · 11