Apache Superset fixes High-severity dataset authorization bypass (CVE-2026-23982)

What happened

Apache disclosed CVE-2026-23982, an Improper Authorization issue in Apache Superset where a low-privileged authenticated user can bypass data access controls during dataset creation by overwriting the SQL query of an existing dataset.

The Apache CNA lists this as High severity (CVSS v4 base 7.1), reflecting that the attack is network-reachable, requires authentication with low privileges, and can expose high-value data.

Who is impacted

• Organizations running Apache Superset < 6.0.0.
• Deployments where users (including non-admin roles) have permissions that allow writing datasets and reading charts (as described in the advisory).

What to do now

• Upgrade Apache Superset to 6.0.0 (the advisory states this version fixes the issue).
• Review Superset role permissions, especially who can create/modify datasets and view charts, and audit recent dataset changes for unexpected SQL modifications.

Additional Information

• Affected versions: "Apache Superset 0.0.0 before 6.0.0" (per oss-security post).
• Credit: River Koh (reporter) and Daniel Gaspar (remediation developer).
• Reference: oss-security announcement for CVE-2026-23982.