PyPI: apache-superset

CVE-2026-23969

Safety vulnerability ID: SFTY-20260224-90562

Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the ClickHouse engine was incomplete. This issue affects Apache Superset: before 4.1.2. Users are recommended to upgrade to version 4.1.2, which fixes the issue.

PythonPyPINVDNVDGitHubGHSA
Created at: Feb 26, 2026Updated at: Feb 26, 2026

Overview

Apache Superset: Incomplete DISALLOWED_SQL_FUNCTIONS default list for ClickHouse engine

Advisory

Apache Superset: Incomplete DISALLOWED_SQL_FUNCTIONS default list for ClickHouse engine

Affected Package

Affecting apache-superset package, versions
< 4.1.2

Also affects

---

How to Fix

Upgrade
apache-superset
to
4.1.2
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more