CVE-2026-23982
Received Received - Intake
Improper Authorization in Apache Superset Allows Data Access Bypass

Publication date: 2026-02-24

Last updated on: 2026-02-25

Assigner: Apache Software Foundation

Description
An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker with permissions to write datasets and read charts can bypass these checks by overwriting the SQL query of an existing dataset. This issue affects Apache Superset: before 6.0.0. Users are recommended to upgrade to version 6.0.0, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23982
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache superset to 6.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

Users are recommended to upgrade Apache Superset to version 6.0.0, which fixes this improper authorization vulnerability.

Executive Summary

This vulnerability is an Improper Authorization issue in Apache Superset versions before 6.0.0. It allows a low-privileged authenticated user to bypass data access controls by overwriting the SQL query of an existing dataset. Normally, Superset enforces permission checks when creating datasets to prevent unauthorized data queries, but this flaw lets users with permissions to write datasets and read charts circumvent those checks.

Impact Analysis

The vulnerability can lead to unauthorized data access by users who should not have permission to query certain datasets. This means sensitive or restricted information could be exposed to low-privileged users, potentially leading to data leaks or misuse of confidential data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23982. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart