oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2026-23969: Apache Superset: Exposure of Sensitive Information via Incomplete ClickHouse Function Filtering

From: Daniel Gaspar <dpgaspar () apache org>
Date: Tue, 24 Feb 2026 09:23:01 +0000
Severity: 

Affected versions:

- Apache Superset 0.0.0 before 4.1.2

Description:

Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execution of potentially 
sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like 
PostgreSQL, a vulnerability was reported where the default list for the ClickHouse engine was incomplete.

This issue affects Apache Superset: before 4.1.2.

Users are recommended to upgrade to version 4.1.2, which fixes the issue.

Credit:

Saif Salah (reporter)
Daniel Gaspar (remediation developer)

References:

https://superset.apache.org
https://www.cve.org/CVERecord?id=CVE-2026-23969
Previous By Date Next
Previous By Thread Next

Current thread: