PyPI: apache-superset

CVE-2026-23982

Safety vulnerability ID: SFTY-20260224-59814

An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker with permissions to write datasets and read charts can bypass these checks by overwriting the SQL query of an existing dataset. This issue affects Apache Superset: before 6.0.0. Users are recommended to upgrade to version 6.0.0, which fixes the issue.

PythonPyPINVDNVDGitHubGHSA
Created at: Feb 26, 2026Updated at: Feb 26, 2026

Overview

Apache Superset Improper Authorization allows low-privileged users to bypass access controls

Advisory

Apache Superset Improper Authorization allows low-privileged users to bypass access controls

Affected Package

Affecting apache-superset package, versions
< 6.0.0

Also affects

---

How to Fix

Upgrade
apache-superset
to
6.0.0
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more