Cube privilege escalation via a specially crafted request
Description
Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cube semantic layer versions 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14 allow privilege escalation via a specially crafted request with a valid API token.
Vulnerability
Overview
The vulnerability in Cube, an open-source semantic layer for building data applications, allows privilege escalation through a specially crafted request. The flaw affects versions from 0.27.19 up to, but not including, the patched versions 1.5.13, 1.4.2, and 1.0.14 [1][3]. The exact root cause is not detailed in the public advisories, but it involves improper authorization checks that can be bypassed when an attacker sends a manipulated request using a valid API token [3].
Exploitation
An attacker must possess a valid API token to exploit this vulnerability. By crafting a specific request, they can elevate their privileges within the Cube instance [1][3]. No further prerequisites, such as network position or additional authentication, are disclosed in the available references. The attack surface is limited to authenticated users with at least some level of access, but the impact is significant as it allows unauthorized privilege escalation.
Impact
Successful exploitation grants an attacker higher privileges than intended for their token. This could allow access to sensitive data, manipulation of cube schemas, or other administrative actions depending on the deployment context [1][3]. The exact scope of escalated privileges (e.g., becoming an admin or accessing restricted data cubes) is not specified in public sources, but the advisory classifies this as a privilege escalation vulnerability.
Mitigation
Cube has released fixes in versions 1.5.13 (regular), 1.4.2 (active LTS), and 1.0.14 (end-of-life LTS) [3]. Users are strongly advised to upgrade to one of these patched versions. No workarounds are documented in the provided references. The vulnerability was discovered internally and patched promptly [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@cubejs-backend/server-corenpm | >= 0.27.19, < 1.0.14 | 1.0.14 |
@cubejs-backend/server-corenpm | >= 1.1.0, < 1.4.2 | 1.4.2 |
@cubejs-backend/server-corenpm | >= 1.5.0, < 1.5.13 | 1.5.13 |
Affected products
2- Range: >=0.27.19, <1.5.13 || <1.4.2 || <1.0.14
- cube-js/cubev5Range: >= 0.27.19, < 1.0.14
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-v226-32c7-x2v7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25958ghsaADVISORY
- github.com/cube-js/cube/security/advisories/GHSA-v226-32c7-x2v7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.