CVE-2025-48912 HIGH

CVE-2025-48912: Apache Superset: Improper authorization bypass on row level security via SQL Injection

Vendor Apache Software Foundation

Product Apache Superset

Weakness CWE-89 · SQLi

Published May 30, 2025

Last update May 31, 2025

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields. This allowed the execution of sub-queries to evade parsing defenses ultimately granting unauthorized access to data. This issue affects Apache Superset: before 4.1.2. Users are recommended to upgrade to version 4.1.2, which fixes the issue.

Key dates

Disclosure timeline

May 30, 2025 CVE published

May 31, 2025 Record updated