FIND-20260329-025 · 2026-03-29 · Innovation Veille

Apache Superset CVE-2026-23982 (auth bypass) and CVE-2026-23980 (SQL injection) — fixed in 6.0.0

cve LOW
Two vulnerabilities in Apache Superset before 6.0.0. CVE-2026-23982: an authorization bypass allowing low-privileged authenticated users to overwrite dataset SQL queries and access unauthorized data. CVE-2026-23980: SQL injection via sqlExpression or where parameters for authenticated users with read access. Both fixed in Superset 6.0.0. ODS uses Metabase (not Superset) in the Data Platform layer, so these CVEs do not directly affect ODS infrastructure. Informational for awareness in case Superset is evaluated as an alternative BI tool.

Source

https://superset.apache.org/docs/security/cves/

ODS Impact

ODS uses Metabase for BI/analytics, not Apache Superset. No immediate action required. If Superset is ever evaluated as a Metabase replacement, ensure version 6.0.0 or later is deployed.

Security Review

License: Apache-2.0 | Maintenance: ACTIVE | Risk: LOW | Recommendation: USE_WITH_CAUTION

Tags

apache-superset cve sql-injection auth-bypass bi-analytics
Generated by ODS Innovation Veille · 2026-03-29T09:08:16+00:00