PyPI: apache-superset

CVE-2026-23984

Safety vulnerability ID: SFTY-20260224-57405

An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection. While the system effectively blocks standard Data Manipulation Language (DML) statements (e.g., INSERT, UPDATE, DELETE) on read-only connections, it fails to detect them in specially crafted SQL statements. This issue affects Apache Superset: before 6.0.0. Users are recommended to upgrade to version 6.0.0, which fixes the issue.

PyPI

NVD

GHSA

Created at: Feb 26, 2026Updated at: Feb 26, 2026

Overview

Apache Superset: Read-Only Bypass via Improper Input Validation on PostgreSQL Connections

Advisory

Apache Superset: Read-Only Bypass via Improper Input Validation on PostgreSQL Connections

Affected Package

Affecting apache-superset package, versions

< 6.0.0

Also affects

---

How to Fix

Upgrade

apache-superset

6.0.0

or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more