CVE-2026-23980: Apache Superset allows privileged users to conduct error-based SQL Injection

February 24, 2026 (updated February 26, 2026)

Improper Neutralization of Special Elements used in a SQL Command (‘SQL Injection’) vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters.

This issue affects Apache Superset: before 6.0.0.

Users are recommended to upgrade to version 6.0.0, which fixes the issue.

References

github.com/advisories/GHSA-gvxg-9hqx-f4rg
github.com/apache/superset
lists.apache.org/thread/h4l02zw1pr2vywv0dc5zjn3grdcdhwf4
nvd.nist.gov/vuln/detail/CVE-2026-23980

Code Behaviors & Features

Detect and mitigate CVE-2026-23980 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →