## Apache Superset CVE-2024-39887: PostgreSQL Blocklist Gap Enables SQL Restriction Bypass
A SQL injection vulnerability in Apache Superset's PostgreSQL query authorization layer could allow attackers to bypass intended security restrictions. Tracked as CVE-2024-39887, the flaw centers on missing functions—particularly query_to_xml—from Superset's DISALLOWED_SQL_FUNCTIONS blocklist, enabling certain dangerous operations to execute despite configured safeguards.

The vulnerability exists in how Superset's PostgreSQL engine specs handle query authorization filtering. Functions that should be blocked can slip through when omitted from the blocklist configuration in superset/config.py. This creates a gap where attackers with database access could leverage restricted functions to extract sensitive data or escalate privileges beyond their intended authorization level. The affected code paths and the specific regression test requirements are documented in the project's unit_tests/db_engine_specs/ directory. The flaw impacts the master and latest-dev branches running Python 3.9.

Remediation requires adding the missing dangerous functions to the DISALLOWED_SQL_FUNCTIONS blocklist and implementing a regression test that proves the functions are properly denied. Security teams running Superset instances with PostgreSQL backends should monitor the project's security advisories for patch availability. Given Superset's role as a widely-deployed business intelligence and data visualization platform, exploitation could expose query results, database schemas, or internal data structures that should remain restricted under row-level and function-level access controls.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: sql-injection, cve-2024-39887, postgresql, blocklist-bypass, query-authorization
- **Credibility**: unverified
- **Published**: 2026-04-26 18:54:06
- **ID**: 77222
- **URL**: https://whisperx.ai/en/intel/77222