CVE-2026-23982: Apache Superset Improper Authorization allows low-privileged users to bypass access controls

February 24, 2026 (updated February 26, 2026)

An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker with permissions to write datasets and read charts can bypass these checks by overwriting the SQL query of an existing dataset.

This issue affects Apache Superset: before 6.0.0.

Users are recommended to upgrade to version 6.0.0, which fixes the issue.

References

github.com/advisories/GHSA-3m2g-v7jf-7fxc
github.com/apache/superset
lists.apache.org/thread/9lvbzwkw4rxgdvbpfvnnnfcll92v75fp
nvd.nist.gov/vuln/detail/CVE-2026-23982

Code Behaviors & Features

Detect and mitigate CVE-2026-23982 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →