## Apache Superset SQL Injection Risk: Critical PostgreSQL Functions Missing from Security Blocklist
A reported vulnerability in Apache Superset reveals that several dangerous PostgreSQL functions capable of data exfiltration and side effects are absent from the application's DISALLOWED_SQL_FUNCTIONS blocklist. The flaw, classified under OWASP A03:2021 — Injection (CWE-89), could allow attackers to bypass intended query restrictions and execute unauthorized database operations.

The missing functions include query_to_xml, query_to_json, ts_stat, dblink_exec, and pg_read_file. These functions can enable scenarios ranging from arbitrary file reads on the database server to cross-database queries via dblink connections and structured data extraction in XML or JSON formats. The blocklist, defined primarily in superset/config.py, serves as a core authorization control for SQL execution within Superset's query engine. Security researchers note that when dangerous functions are omitted from this list, the intended isolation between users and sensitive database operations breaks down.

The issue report outlines four remediation steps: adding the missing functions to DISALLOWED_SQL_FUNCTIONS, conducting a comprehensive audit of dangerous functions across PostgreSQL, MySQL, and BigQuery engine specifications, implementing regression tests for each newly blocked function, and verifying that legitimate queries remain functional. The affected code paths reportedly extend into tests/unit_tests/db_engine_specs/, indicating that validation coverage may also require updates. Security teams running Superset deployments with PostgreSQL backends should monitor this issue for patches and consider temporary mitigations such as database-level permissions hardening.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: sql-injection, postgresql, security-vulnerability, apache-superset, owasp
- **Credibility**: unverified
- **Published**: 2026-04-27 01:54:06
- **ID**: 77275
- **URL**: https://whisperx.ai/en/intel/77275