CVE-2026-23984: Apache Superset: Read-Only Bypass via Improper Input Validation on PostgreSQL Connections

February 24, 2026 (updated February 26, 2026)

An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection. While the system effectively blocks standard Data Manipulation Language (DML) statements (e.g., INSERT, UPDATE, DELETE) on read-only connections, it fails to detect them in specially crafted SQL statements.

This issue affects Apache Superset: before 6.0.0.

Users are recommended to upgrade to version 6.0.0, which fixes the issue.

References

github.com/advisories/GHSA-mwf2-qr4v-94h2
github.com/apache/superset
lists.apache.org/thread/72cmgxtvp9pclto4ln1chbs1227nwd26
nvd.nist.gov/vuln/detail/CVE-2026-23984

Code Behaviors & Features

Detect and mitigate CVE-2026-23984 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →