CVE-2026-25958

EUVD-2026-6241
Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.7 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
GitHub_MCNA
7.7 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Affected Products (NVD)
VendorProductVersion
cubecube.js
0.27.19 ≤
𝑥
< 1.0.14
cubecube.js
1.1.0 ≤
𝑥
< 1.4.2
cubecube.js
1.5.0 ≤
𝑥
< 1.5.13
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/cube-js/cube/security/advisories/GHSA-v226-32c7-x2v7