CVE-2026-23980 – This SQL injection vulnerability in Apache Supe... (How to Fix)

Q: What is the severity of CVE-2026-23980?

CVE-2026-23980 has a CVSS score of 6.5 (MEDIUM). This SQL injection vulnerability in Apache Superset allows authenticated users with read access to execute arbitrary SQL commands through the sqlExpression or where parameters. The vulnerability enables attackers to potentially read, modify, or delete database contents. All Apache Superset instances before version 6.0.0 are affected.

📋 TL;DR

This SQL injection vulnerability in Apache Superset allows authenticated users with read access to execute arbitrary SQL commands through the sqlExpression or where parameters. The vulnerability enables attackers to potentially read, modify, or delete database contents. All Apache Superset instances before version 6.0.0 are affected.

💻 Affected Systems

Products:

Apache Superset

Versions: All versions before 6.0.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with read access; affects sqlExpression and where parameters in Superset queries.

📦 What is this software?

Superset by Apache

View all CVEs affecting Superset →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, data manipulation, privilege escalation, and potential remote code execution through database functions.

🟠

Likely Case

Unauthorized data access and exfiltration from connected databases, potentially exposing sensitive business data.

🟢

If Mitigated

Limited impact due to proper input validation and parameterized queries preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward for attackers with SQL injection knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.0

Vendor Advisory: https://lists.apache.org/thread/h4l02zw1pr2vywv0dc5zjn3grdcdhwf4

Restart Required: Yes

Instructions:

1. Backup your Superset instance and database. 2. Upgrade to Apache Superset 6.0.0 or later using pip: 'pip install apache-superset==6.0.0'. 3. Run database migrations: 'superset db upgrade'. 4. Restart the Superset service.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement custom input validation to sanitize sqlExpression and where parameters before processing.

Database User Privilege Reduction

all

Limit database user permissions used by Superset to read-only access where possible.

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns
Restrict network access to Superset instances and implement strict authentication controls

🔍 How to Verify

Check if Vulnerable:

Check Superset version: if version is below 6.0.0, the system is vulnerable.

Check Version:

pip show apache-superset | grep Version

Verify Fix Applied:

Confirm Superset version is 6.0.0 or higher and test sqlExpression/where parameters with SQL injection payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in Superset logs
Error messages containing SQL syntax in application logs
Multiple failed query attempts with special characters

Network Indicators:

Unusual database connection patterns from Superset instances
Large data transfers from database servers

SIEM Query:

source="superset" AND ("sqlExpression" OR "where") AND ("' OR" OR "--" OR ";" OR "UNION" OR "SELECT" FROM)

📊 Metadata

CVE ID: CVE-2026-23980

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

Published: February 24, 2026

Last Updated: February 25, 2026

🔗 References

https://lists.apache.org/thread/h4l02zw1pr2vywv0dc5zjn3grdcdhwf4 Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/02/24/5 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23980, you might also want to check these: