apache · iffyio · Feb 10, 2026 · Feb 6, 2026 · Feb 6, 2026 · Feb 10, 2026
diff --git a/src/parser/mod.rs b/src/parser/mod.rs
@@ -14546,14 +14546,23 @@ impl<'a> Parser<'a> {
             }
             .into());
         } else if self.parse_keyword(Keyword::AUTHORIZATION) {
+            let scope = match scope {
+                Some(s) => s,
+                None => {
+                    return self.expected_at(
+                        "SESSION, LOCAL, or other scope modifier before AUTHORIZATION",
+                        self.get_current_index(),
+                    )
+                }
+            };
             let auth_value = if self.parse_keyword(Keyword::DEFAULT) {
                 SetSessionAuthorizationParamKind::Default
             } else {
                 let value = self.parse_identifier()?;
                 SetSessionAuthorizationParamKind::User(value)
             };
             return Ok(Set::SetSessionAuthorization(SetSessionAuthorizationParam {
-                scope: scope.expect("SET ... AUTHORIZATION must have a scope"),
+                scope,
                 kind: auth_value,
             })
             .into());

diff --git a/tests/sqlparser_common.rs b/tests/sqlparser_common.rs
@@ -18333,6 +18333,16 @@ fn test_parse_set_session_authorization() {
     );
 }
 
+#[test]
+fn test_set_authorization_without_scope_errors() {
+    // This should return a parser error, not panic.
+    let res = parse_sql_statements("SET AUTHORIZATION TIME TIME");
+    assert!(
+        res.is_err(),
+        "SET AUTHORIZATION without a scope modifier (e.g. SESSION) should error"
+    );
+}
+
 #[test]
 fn parse_select_parenthesized_wildcard() {
     // Test SELECT DISTINCT(*) which uses a parenthesized wildcard