oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-48912: Apache Superset: Improper authorization bypass on row level security via SQL Injection

From: Daniel Gaspar <dpgaspar () apache org>
Date: Fri, 30 May 2025 08:17:51 +0000
Affected versions:

- Apache Superset before 4.1.2

Description:

An authenticated malicious actor using specially crafted requests could bypass row level security configuration by 
injecting SQL into 'sqlExpression' fields. This allowed the execution of sub-queries to evade parsing defenses 
ultimately granting unauthorized access to data.

This issue affects Apache Superset: before 4.1.2.

Users are recommended to upgrade to version 4.1.2, which fixes the issue.

Credit:

Pedro Sousa (coordinator)
Beto de Almeida (remediation developer)
Mirakl Security (finder)

References:

https://superset.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-48912
Previous By Date Next
Previous By Thread Next

Current thread: