CVE-2025-48912: Apache Superset: Improper authorization bypass on row level security via SQL Injection

May 30, 2025 (updated June 3, 2025)

An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into ‘sqlExpression’ fields. This allowed the execution of sub-queries to evade parsing defenses ultimately granting unauthorized access to data.

This issue affects Apache Superset: before 4.1.2.

Users are recommended to upgrade to version 4.1.2, which fixes the issue.

References

github.com/advisories/GHSA-8w7f-8pr9-xgwj
github.com/apache/superset
lists.apache.org/thread/ms2t2oq218hb7l628trsogo4fj7h1135
nvd.nist.gov/vuln/detail/CVE-2025-48912

Code Behaviors & Features

Detect and mitigate CVE-2025-48912 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →