Improper Input Validation in Apache Superset for PostgreSQL Connections
CVE-2026-23984

7.1HIGH

Key Information:

Vendor: Apache
Status: Apache Superset
Vendor: CVE Published:; 24 February 2026

What is CVE-2026-23984?

An Improper Input Validation vulnerability in Apache Superset allows authenticated users with SQLLab access to circumvent read-only verification checks for PostgreSQL database connections. The system aims to prevent unauthorized DML operations like INSERT, UPDATE, and DELETE on read-only connections, but it fails to adequately filter specially crafted SQL statements. This oversight could lead to unintended database modifications, posing a risk to data integrity. It is crucial for users to upgrade to version 6.0.0, which resolves this vulnerability.

Affected Version(s)

Apache Superset 0.0.0 < 6.0.0

References

https://lists.apache.org/thread/72cmgxtvp9pclto4ln1chbs12...

vendor-advisory

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 24, 2026
Vulnerability Reserved
Jan 19, 2026

Credit

Trung Đức Lê

Beto de Almeida

CVE-2026-23984 Data

JSON