## Apache Superset Reverts CVE-2024-55633 Fix, Reopening SQLLab PostgreSQL Read-Only Bypass
A GitHub pull request has been opened to revert the patch addressing CVE-2024-55633 in Apache Superset's SQLLab, effectively reintroducing a security vulnerability that allows crafted DML statements to bypass read-only restrictions on PostgreSQL databases. The revert removes EXPLAIN ANALYZE DML detection logic, potentially exposing systems configured with SQLLab read-only mode to unauthorized write operations.

The original fix addressed a flaw where DML statements prefixed with EXPLAIN ANALYZE were misclassified as read-only queries and executed against PostgreSQL even when SQLLab was explicitly configured to block write operations. This bypass could allow an authenticated attacker with SQLLab access to perform unauthorized INSERT, UPDATE, or DELETE operations on protected databases. The CVE carries identifier GHSA-787v-v9vq-4rgv and was previously addressed in commit #28279, which implemented logic to ignore the EXPLAIN ANALYZE prefix when determining whether a SQL statement qualifies as read-only.

The revert pull request, authored by what appears to be the project maintainers, does not yet include a detailed explanation for the reversal or alternative mitigation strategy. Organizations running Apache Superset with PostgreSQL backends and SQLLab read-only mode enabled should monitor this development closely. Until a replacement fix is merged and deployed, the read-only bypass remains exploitable in affected deployments. Security teams should evaluate compensating controls such as database-level permissions, network segmentation, or temporary disabling of SQLLab access for PostgreSQL connections pending resolution.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2024-55633, SQLLab, PostgreSQL, read-only bypass, security vulnerability
- **Credibility**: unverified
- **Published**: 2026-04-29 05:54:10
- **ID**: 78092
- **URL**: https://whisperx.ai/en/intel/78092