Cube Denial of Service (DoS) - An authenticated attacker can crash the server by sending a specially crafted request
Description
Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13 and 1.4.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cube API versions 1.1.17 to before 1.5.13/1.4.2 are vulnerable to a denial-of-service (DoS) attack via a specially crafted request, potentially crashing the entire API.
Vulnerability
Cube, an open-source semantic layer for building data applications, is susceptible to a denial-of-service vulnerability. In versions 1.1.17 through 1.5.12 and 1.4.1, a specially crafted request to a Cube API endpoint can cause the entire API to become unavailable [1][3]. This essentially results in a server crash, preventing legitimate use of the data service.
Exploitation
To exploit the vulnerability, an attacker must be authenticated, as indicated by the advisory referencing 'authenticated attacker' [3]. The attack requires only a single specially crafted request to an API endpoint—no complex chaining of requests is necessary. This low complexity and lack of required privileges beyond authentication make it a relatively straightforward attack to execute.
Impact
Successful exploitation leads to a complete denial of service. The Cube API becomes unresponsive, affecting all downstream applications, AI agents, BI tools, and embedded analytics that rely on the semantic layer. The impact is limited to availability; there is no evidence of data breach or privilege escalation from the provided sources [1][3].
Mitigation
Cube has released patches in versions 1.5.13 (regular release) and 1.4.2 (active LTS release) [3]. Users running any version between 1.1.17 and these patched versions should upgrade immediately. No workarounds are mentioned in the advisories; updating to the latest fixed version is the recommended course of action [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@cubejs-backend/server-corenpm | >= 1.1.17, < 1.4.2 | 1.4.2 |
@cubejs-backend/server-corenpm | >= 1.5.0, < 1.5.13 | 1.5.13 |
Affected products
2- Range: <1.4.2 or >=1.1.17 <1.5.13
- cube-js/cubev5Range: >= 1.1.17, < 1.4.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-9vph-2hvm-x66gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25957ghsaADVISORY
- github.com/cube-js/cube/security/advisories/GHSA-9vph-2hvm-x66gghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.