Primary

Context

Apache Superset Incomplete Function Filtering Vulnerability in ClickHouse Engine

Vulnerability

A vulnerability exists in Apache Superset versions prior to 4.1.2, where the default list of disallowed SQL functions for the ClickHouse engine was incomplete. This oversight allows the execution of potentially sensitive SQL functions in SQL Lab and charts, contrary to the application's intended restrictions.

Impact

Exploitation of this vulnerability could lead to the execution of sensitive SQL functions in ClickHouse, bypassing intended safeguards.

Remediation

Users are advised to upgrade to Apache Superset version 4.1.2 or later, which addresses this vulnerability.

Added: Feb 24, 2026, 3:02 PM

Updated: Feb 24, 2026, 11:04 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.8

remediation

0.0

relevance

3.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.8

remediation

0.0

relevance

3.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Superset Incomplete Function Filtering Vulnerability in ClickHouse Engine

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating