Apache: >> Superset >> 0.13.0 Security Vulnerabilities
A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's browser when they hover over the chart, potentially leading to session hijacking or the execution of arbitrary commands on behalf of the user.
This issue affects Apache Superset: before 5.0.0.
Users are recommended to upgrade to version 5.0.0, which fixes the issue.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-08-14
When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privileged guest user.
This issue affects Apache Superset: before 4.1.3.
Users are recommended to upgrade to version 4.1.3, which fixes the issue.
CVSS Score
4.3
EPSS Score
0.001
Published
2025-08-14
A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leading to the disclosure of sensitive database information like the software version.
This issue affects Apache Superset: before 5.0.0.
Users are recommended to upgrade to version 5.0.0, which fixes the issue.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-08-14
Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to sensitive information disclosure.
This issue affects Apache Superset: before 5.0.0.
Users are recommended to upgrade to version 5.0.0, which fixes the issue.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-08-14
An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields. This allowed the execution of sub-queries to evade parsing defenses ultimately granting unauthorized access to data.
This issue affects Apache Superset: before 4.1.2.
Users are recommended to upgrade to version 4.1.2, which fixes the issue.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-05-30
Incorrect Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions.
This issue affects Apache Superset: through 4.1.1.
Users are recommended to upgrade to version 4.1.2 or above, which fixes the issue.
CVSS Score
8.8
EPSS Score
0.0
Published
2025-05-13
Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database connections and postgres analytics database connections set with a readonly user (advised) are not vulnerable.
This issue affects Apache Superset: before 4.1.0.
Users are recommended to upgrade to version 4.1.0, which fixes the issue.
CVSS Score
6.5
EPSS Score
0.005
Published
2024-12-12
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. This issue is a follow-up to CVE-2024-39887 with additional disallowed PostgreSQL functions now included: query_to_xml_and_xmlschema, table_to_xml, table_to_xml_and_xmlschema.
This issue affects Apache Superset: <4.1.0.
Users are recommended to upgrade to version 4.1.0, which fixes the issue or add these Postgres functions to the config set DISALLOWED_SQL_FUNCTIONS.
CVSS Score
9.8
EPSS Score
0.002
Published
2024-12-09
Generation of Error Message Containing analytics metadata Information in Apache Superset.
This issue affects Apache Superset: before 4.1.0.
Users are recommended to upgrade to version 4.1.0, which fixes the issue.
CVSS Score
5.3
EPSS Score
0.003
Published
2024-12-09
An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate this, a new configuration key named DISALLOWED_SQL_FUNCTIONS has been introduced. This key disallows the use of the following PostgreSQL functions: version, query_to_xml, inet_server_addr, and inet_client_addr. Additional functions can be added to this list for increased protection.
This issue affects Apache Superset: before 4.0.2.
Users are recommended to upgrade to version 4.0.2, which fixes the issue.
CVSS Score
4.3
EPSS Score
0.507
Published
2024-07-16
Page 1