CVE-2025-48912 — Apache Superset: Improper authorization bypass on row level security via SQL Inj

Description

An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields. This allowed the execution of sub-queries to evade parsing defenses ultimately granting unauthorized access to data. This issue affects Apache Superset: before 4.1.2. Users are recommended to upgrade to version 4.1.2, which fixes the issue.

How to fix CVE-2025-48912

To remediate CVE-2025-48912, upgrade the affected package to a fixed version below.

—upgrade to 4.1.2 or later
—upgrade to 4.1.2 or later

Is CVE-2025-48912 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.1.2
from 0, < 4.1.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-48912
PATCHgithub.com/apache/superset
WEBlists.apache.org/thread/ms2t2oq218hb7l628trsogo4fj7h1135
WEBwww.openwall.com/lists/oss-security/2025/05/30/3