A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag "ALLOW_ADHOC_SUBQUERY" disabled (default value). This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Affected Packages

PyPI apache-superset

Affected versions: 0 (last affected: 1.5.2)

PyPI apache-superset

Related CVEs

CVE-2022-41703

Key Information

GHSA ID

GHSA-cxvp-3frm-3876

Published

January 16, 2023 12:30 PM

Last Modified

April 8, 2025 10:02 PM

CVSS Score

5.0 /10

Primary Ecosystem

PyPI

Primary Package

apache-superset

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 27, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.