CVE-2025-48912: 
Apache Superset vulnerability analysis and mitigation

A critical security vulnerability (CVE-2025-48912) was discovered in Apache Superset, affecting all versions prior to 4.1.2. The vulnerability was disclosed on May 30, 2025, and allows authenticated users to bypass row-level security (RLS) controls through SQL injection attacks. Apache Superset is a widely used open-source data exploration and visualization platform (Wiz, Security Online).

The vulnerability stems from improper sanitization of the 'sqlExpression' fields within row-level security policies. It is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The flaw received a CVSS 4.0 Base Score of 7.1 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N, and a CVSS 3.1 Base Score of 6.5 (MEDIUM) (NVD, Wiz).

The vulnerability enables authenticated attackers to execute sub-queries that bypass parser-level protections, potentially gaining unauthorized access to sensitive data that should be restricted by row-level security configurations. This poses a particular risk for organizations relying on RLS to enforce fine-grained access control in their data infrastructure (Security Online).

Users running vulnerable versions of Apache Superset are strongly advised to upgrade immediately to version 4.1.2, which includes the necessary security patch to address this vulnerability. The fix was developed by Beto de Almeida as part of the remediation effort (Openwall, Wiz).