Apache Superset authorization bypass via dataset SQL overwrite
TL;DR — An authorization bypass in Apache Superset lets low-privileged users overwrite dataset SQL queries during creation, accessing data they should not be able to reach.
What happened
Apache Superset is an open-source business intelligence and data visualization platform used by organizations to explore and dashboard data from SQL databases. CVE-2026-23982 describes an Improper Authorization issue in Apache Superset where a low-privileged authenticated user can bypass data access controls during dataset creation by overwriting the SQL query of an existing dataset. Rated CVSS v4 7.1 (High) — network-reachable, low-privilege, potentially exposing high-value data.
Broken access control on data platforms is particularly dangerous because it can expose sensitive business data without leaving obvious traces in application logs.
Who is impacted
- Organizations running Apache Superset
< 6.0.0. - Deployments where non-admin users can write datasets and read charts.
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
- Review Superset role permissions, especially who can create/modify datasets and view charts.
- Audit recent dataset changes for unexpected SQL modifications.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.