CVE-2026-23984
Received Received - Intake
Improper Input Validation in Apache Superset Enables Read-Only Bypass

Publication date: 2026-02-24

Last updated on: 2026-02-26

Assigner: Apache Software Foundation

Description
An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection. While the system effectively blocks standard Data Manipulation Language (DML) statements (e.g., INSERT, UPDATE, DELETE) on read-only connections, it fails to detect them in specially crafted SQL statements. This issue affects Apache Superset: before 6.0.0. Users are recommended to upgrade to version 6.0.0, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23984
EUVD
EUVD-2026-8475
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache superset to 6.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Improper Input Validation issue in Apache Superset versions before 6.0.0. It allows an authenticated user who has access to SQLLab to bypass the read-only verification check when connected to a PostgreSQL database.

Although the system blocks standard Data Manipulation Language (DML) statements like INSERT, UPDATE, and DELETE on read-only connections, it fails to detect these operations if they are embedded within specially crafted SQL statements.

Impact Analysis

This vulnerability can allow an authenticated user with SQLLab access to perform unauthorized data modification operations on a PostgreSQL database that is supposed to be read-only.

As a result, data integrity could be compromised because users might be able to insert, update, or delete data despite restrictions intended to prevent such actions.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

Users are recommended to upgrade Apache Superset to version 6.0.0, which fixes the issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23984. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart