Home

Description

Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the ClickHouse engine was incomplete. This issue affects Apache Superset: before 4.1.2. Users are recommended to upgrade to version 4.1.2, which fixes the issue.

PUBLISHED Reserved 2026-01-19 | Published 2026-02-24 | Updated 2026-02-24 | Assigner apache




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
unaffected

0.0.0 (semver) before 4.1.2
affected

Credits

Saif Salah reporter

Daniel Gaspar remediation developer

References

www.openwall.com/lists/oss-security/2026/02/24/4

lists.apache.org/thread/2q22sp4oj3krcgdkxchhtht0vgwp2wnd vendor-advisory

cve.org (CVE-2026-23969)

nvd.nist.gov (CVE-2026-23969)

Download JSON