PYSEC-2026-1187

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/apache-superset/PYSEC-2026-1187.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1187
Aliases
Published
2026-07-07T11:45:23.401916Z
Modified
2026-07-07T17:57:11.702828025Z
Severity
  • 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVSS Calculator
Summary
Apache Superset vulnerable to improper data authorization
Details

Improper data authorization check on Jinja templated queries in Apache SupersetĀ up to and including 2.1.0 allows for an authenticated user to issue queries on database tables they may not have access to.

References

Affected packages

PyPI / apache-superset

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.1

Affected versions

0.*
0.34.0
0.34.1
0.35.1
0.35.2
0.36.0
0.37.0
0.37.1
0.37.2
0.38.0
0.38.1
1.*
1.0.0
1.0.1
1.1.0
1.2.0
1.3.0
1.3.1
1.3.2
1.4.0
1.4.1
1.4.2
1.5.0
1.5.1
1.5.2
1.5.3
2.*
2.0.0
2.0.1
2.1.0
2.1.1rc1
2.1.1rc2
2.1.1rc3

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/apache-superset/PYSEC-2026-1187.yaml"