Apache Superset Vulnerability Allows Authenticated Attackers to Read Server Files via MariaDB Connection

A critical input validation flaw in Apache Superset enables authenticated attackers to leverage MariaDB's local_infile functionality to read arbitrary files from the web server. The vulnerability, tracked as CVE-related to improper input validation, permits an attacker who can create a MariaDB database connection to execute specific SQL commands that load file contents directly into database tables. This attack path becomes viable only when both the target MariaDB server and the local MySQL client on the web server have local_infile permissions enabled—a configuration that is disabled by default on the database side but can be exploited if deliberately or inadvertently activated.

The vulnerability affects all Apache Superset deployments running versions prior to 3.1.3 and the initial 4.0.0 release. Organizations running these versions face the risk of localized file exfiltration if an attacker obtains authenticated access to the platform and the local_infile setting is present in the affected configuration chain. The Apache Superset security team has released versions 3.1.3 and 4.0.1 as corrective patches, addressing the input validation weakness that enables the attack vector. Users of affected versions are strongly advised to upgrade immediately, particularly those operating MariaDB integrations in environments where local_infile may be accessible.

Security teams should audit Superset deployments for authentication controls, reviewing which users have database connection privileges and whether MariaDB connectors are in use. The vulnerability underscores the risk posed by database features designed for legitimate data import operations when misconfigured or combined with application-layer flaws. Given the platform's use in business intelligence and data visualization contexts, successful exploitation could expose sensitive files including configuration data, credentials, or other structured data accessible to the web server process.