Apache Superset
68 CVEs affecting Apache Superset. Latest disclosed: 2026-02-24. Critical: 4, High: 7.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2024-53947 | Critical | 9.8 | 2024-12-09 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine-specific fu… |
CVE-2022-27479 | Critical | 9.8 | 2022-04-13 | Apache Superset before 1.4.2 is vulnerable to SQL injection in chart data requests. Users should update to 1.4.2 or higher which addresses this issue. |
CVE-2018-8021 | Critical | 9.8 | 2018-11-07 | Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Super… |
CVE-2023-49657 | Critical | 9.6 | 2024-01-23 | A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or… |
CVE-2023-27524 | High | 8.9 | 2023-04-24 | Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY accordi… |
CVE-2025-27696 | High | 8.8 | 2025-05-13 | Incorrect Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissio… |
CVE-2022-43719 | High | 8.8 | 2023-01-16 | Two legacy REST API endpoints for approval and request access are vulnerable to cross site request forgery. This issue affects Apache Superset version 1.5.2 an… |
CVE-2021-41971 | High | 8.8 | 2021-10-18 | Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allowed SQL injection when a malicious authe… |
CVE-2020-13948 | High | 8.8 | 2020-09-17 | While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in… |
CVE-2020-13952 | High | 8.1 | 2020-09-30 | In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could acce… |
CVE-2023-49734 | High | 7.7 | 2023-12-19 | An authenticated Gamma user has the ability to create a dashboard and add charts to it, this user would automatically become one of the owners of the charts al… |
CVE-2024-34693 | Medium | 6.8 | 2024-06-20 | Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. If b… |
CVE-2023-37941 | Medium | 6.6 | 2023-09-06 | If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote cod… |
CVE-2026-23984 | Medium | 6.5 | 2026-02-24 | An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification… |
CVE-2026-23983 | Medium | 6.5 | 2026-02-24 | A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabl… |
CVE-2026-23982 | Medium | 6.5 | 2026-02-24 | An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Su… |
CVE-2026-23980 | Medium | 6.5 | 2026-02-24 | Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an authenticated user with read acc… |
CVE-2026-23969 | Medium | 6.5 | 2026-02-24 | Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab a… |
CVE-2025-55675 | Medium | 6.5 | 2025-08-14 | Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to disco… |
CVE-2025-55674 | Medium | 6.5 | 2025-08-14 | A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special i… |