Apache Superset SQLLab Flaw Bypasses Read-Only Validation on Postgres Databases

A critical improper authorization vulnerability in Apache Superset's SQLLab enables authenticated users to execute unauthorized write operations on Postgres analytic databases. Attackers with SQLLab access can craft specially designed SQL DML statements that the system incorrectly classifies as read-only queries, effectively bypassing validation checks meant to prevent data modification.

The flaw specifically affects Postgres analytic database connections that do not enforce read-only user permissions at the database level. When such configurations are in place, an attacker can exploit the validation weakness to inject and execute DML statements—such as INSERT, UPDATE, or DELETE—that should be blocked. Non-Postgres analytics database connections remain unaffected by this vulnerability. Additionally, Postgres connections configured with database-level read-only users, a security practice explicitly advised in Superset documentation, are not vulnerable to exploitation.

The vulnerability impacts all Apache Superset versions prior to 4.1.0. Organizations running affected deployments with exposed Postgres analytics connections face the risk of unauthorized data manipulation. Security teams are advised to audit SQLLab configurations, verify that database users assigned to analytics connections operate with minimal privileges, and apply the security patch released in version 4.1.0 as the primary remediation step. As a defense-in-depth measure, enforcing read-only database permissions at the connection level remains the recommended configuration regardless of patching status.