Description
A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag "ALLOW_ADHOC_SUBQUERY" disabled (default value). This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.
References (1)
Core 1
Core References
Mailing List, Third Party Advisory vendor-advisory
https://lists.apache.org/thread/g7jjw0okxjk5y57pbbxy19ydw42kqcos
Scores
CVSS v3
5.4
EPSS
0.0107
EPSS Percentile
77.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-89
Status
published
Products (3)
apache/superset
2.0.0 (3 CPE variants)
apache/superset
< 1.5.2
pypi/apache-superset
0PyPI
Published
Jan 16, 2023
Tracked Since
Feb 18, 2026