CVE-2026-23982
Received Received - Intake

Improper Authorization in Apache Superset Allows Data Access Bypass

Vulnerability report for CVE-2026-23982, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-24

Last updated on: 2026-02-25

Assigner: Apache Software Foundation

Description

An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker with permissions to write datasets and read charts can bypass these checks by overwriting the SQL query of an existing dataset. This issue affects Apache Superset: before 6.0.0. Users are recommended to upgrade to version 6.0.0, which fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-24
Last Modified
2026-02-25
Generated
2026-07-06
AI Q&A
2026-02-24
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apache superset to 6.0.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

Users are recommended to upgrade Apache Superset to version 6.0.0, which fixes this improper authorization vulnerability.

Compliance Impact

I don't know

Detection Guidance

I don't know

Executive Summary

This vulnerability is an Improper Authorization issue in Apache Superset versions before 6.0.0. It allows a low-privileged authenticated user to bypass data access controls by overwriting the SQL query of an existing dataset. Normally, Superset enforces permission checks when creating datasets to prevent unauthorized data queries, but this flaw lets users with permissions to write datasets and read charts circumvent those checks.

Impact Analysis

The vulnerability can lead to unauthorized data access by users who should not have permission to query certain datasets. This means sensitive or restricted information could be exposed to low-privileged users, potentially leading to data leaks or misuse of confidential data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23982. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart