Primary

Context

Apache Superset DISALLOWED_SQL_FUNCTIONS Bypass Vulnerability Allowing Execution of Blocked SQL Functions

Vulnerability

Patched

A vulnerability in Apache Superset prior to version 5.0.0 allows for a bypass of the DISALLOWED_SQL_FUNCTIONS security feature. This flaw enables users with SQL Lab access to execute SQL functions that were meant to be disabled. The exploitation of this vulnerability could lead to the unauthorized disclosure of sensitive database information, such as the software version.

Impact

Exploitation of this vulnerability could result in the unauthorized execution of blocked SQL functions, allowing access to sensitive database information, including the software version.

Remediation

Users are advised to upgrade to Apache Superset version 5.0.0 or later, which addresses this vulnerability.

Added: Aug 14, 2025, 3:12 PM

Updated: Aug 14, 2025, 3:12 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

2.5

exploitability

5.2

remediation

7.7

relevance

0.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

2.5

exploitability

5.2

remediation

7.7

relevance

0.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Superset DISALLOWED_SQL_FUNCTIONS Bypass Vulnerability Allowing Execution of Blocked SQL Functions

Vulnerability

Impact

Remediation

Affected Products

Apache Superset

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating