Apache Superset Flaw Enables Authenticated Attackers to Read Arbitrary Server Files via MariaDB

A critical input validation vulnerability in Apache Superset exposes affected installations to arbitrary file read attacks by authenticated users through specially crafted MariaDB connections. The flaw leverages the LOCAL_INFILE capability—a database feature disabled by default on MariaDB servers but potentially exploitable under specific configuration conditions. Security researchers reviewing the Superset codebase identified that an authenticated attacker with sufficient database privileges could establish a MariaDB connection with local_infile enabled, then execute specific SQL commands to pull files from the web server filesystem directly into database tables. The attacker's ability to read server files depends on both the MariaDB server and the local MySQL client on the web server permitting LOCAL_INFILE requests—conditions that may exist in shared hosting or improperly hardened deployments. Affected versions span before 3.1.3 and the entire 4.0.0 release line. The Apache Superset project has released patched versions 3.1.3 and 4.0.1 to address the improper input validation weakness. Organizations running vulnerable Superset instances, particularly those with multi-tenant access or untrusted user populations, face elevated risk if their MariaDB backends have LOCAL_INFILE enabled. Administrators are advised to verify database configurations restrict local file access, audit Superset deployments for unauthorized database connections, and apply the available security updates without delay.