Critical severity9.6NVD Advisory· Published Dec 9, 2022· Updated Jun 17, 2026
CVE-2022-23510
CVE-2022-23510
Description
cube-js is a headless business intelligence platform. In version 0.31.23 all authenticated Cube clients could bypass SQL row-level security and run arbitrary SQL via the newly introduced /v1/sql-runner endpoint. This issue has been resolved in version 0.31.24. Users are advised to either upgrade to 0.31.24 or to downgrade to 0.31.22. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@cubejs-backend/api-gatewaynpm | >= 0.31.23, < 0.31.24 | 0.31.24 |
Affected products
2- Range: = 0.31.23
Patches
Vulnerability mechanics
References
5- github.com/cube-js/cube.js/commit/3c614674fed6ca17df08bbba8c835ef110167570nvdPatchThird Party AdvisoryWEB
- github.com/cube-js/cube.js/commit/f1140de508e359970ac82b50bae1c4bf152f6041nvdPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-6jqm-3c9g-pch7ghsaADVISORY
- github.com/cube-js/cube.js/security/advisories/GHSA-6jqm-3c9g-pch7nvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2022-23510ghsaADVISORY
News mentions
0No linked articles in our index yet.