{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25958", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T17:13:54.066Z", "datePublished": "2026-02-09T22:42:54.404Z", "dateUpdated": "2026-02-11T21:26:55.991Z"}, "containers": {"cna": {"title": "Cube privilege escalation via a specially crafted request", "problemTypes": [{"descriptions": [{"cweId": "CWE-807", "lang": "en", "description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/cube-js/cube/security/advisories/GHSA-v226-32c7-x2v7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cube-js/cube/security/advisories/GHSA-v226-32c7-x2v7"}], "affected": [{"vendor": "cube-js", "product": "cube", "versions": [{"version": ">= 0.27.19, < 1.0.14", "status": "affected"}, {"version": ">= 1.1.0, < 1.4.2", "status": "affected"}, {"version": ">= 1.5.0, < 1.5.13", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T22:42:54.404Z"}, "descriptions": [{"lang": "en", "value": "Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14."}], "source": {"advisory": "GHSA-v226-32c7-x2v7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-11T21:26:50.545357Z", "id": "CVE-2026-25958", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T21:26:55.991Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25958", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-11T21:26:50.545357Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T21:26:53.479Z"}}], "cna": {"title": "Cube privilege escalation via a specially crafted request", "source": {"advisory": "GHSA-v226-32c7-x2v7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "cube-js", "product": "cube", "versions": [{"status": "affected", "version": ">= 0.27.19, < 1.0.14"}, {"status": "affected", "version": ">= 1.1.0, < 1.4.2"}, {"status": "affected", "version": ">= 1.5.0, < 1.5.13"}]}], "references": [{"url": "https://github.com/cube-js/cube/security/advisories/GHSA-v226-32c7-x2v7", "name": "https://github.com/cube-js/cube/security/advisories/GHSA-v226-32c7-x2v7", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-807", "description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T22:42:54.404Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25958", "state": "PUBLISHED", "dateUpdated": "2026-02-11T21:26:55.991Z", "dateReserved": "2026-02-09T17:13:54.066Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-09T22:42:54.404Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cube:cube.js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "78B8CBDB-7E95-45F7-B916-A2CEA52AF86C", "versionEndExcluding": "1.0.14", "versionStartIncluding": "0.27.19", "vulnerable": true}, {"criteria": "cpe:2.3:a:cube:cube.js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "A7012092-D8D0-451C-BF39-8B34AEC74673", "versionEndExcluding": "1.4.2", "versionStartIncluding": "1.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:cube:cube.js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "BE6B3000-94CC-46CE-BA90-87D559D6F536", "versionEndExcluding": "1.5.13", "versionStartIncluding": "1.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14."}, {"lang": "es", "value": "Cube es una capa sem\u00e1ntica para construir aplicaciones de datos. Desde 0.27.19 hasta antes de 1.5.13, 1.4.2 y 1.0.14, es posible realizar una solicitud especialmente dise\u00f1ada con un token de API v\u00e1lido que conduce a una escalada de privilegios. Esta vulnerabilidad est\u00e1 corregida en 1.5.13, 1.4.2 y 1.0.14."}], "id": "CVE-2026-25958", "lastModified": "2026-02-19T19:36:28.917", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-09T23:16:06.957", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/cube-js/cube/security/advisories/GHSA-v226-32c7-x2v7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-807"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.27.19,1.0.14)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.1.0,1.4.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.5.0,1.5.13)"}}], "product": "cube", "vendor": "cube-js"}], "analysis": {"en": {"generated_at": "2026-04-17T21:02:56.646516+00:00", "value": {"mitigation_remediation": ["Upgrade Cube to a fixed release\u20141.5.13, 1.4.2, or 1.0.14 depending on your deployment.", "Restrict the use of API tokens to the minimum set of permissions required for each user or application and rotate or revoke unused tokens.", "Audit application logs for unexpected privilege changes or anomalous API calls and enforce strict role\u2011based access control policies."], "summary": {"action": "Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Cube version 0.27.19 up to, but not including, 1.5.13, 1.4.2, and 1.0.14 are affected. Users running any of these supported releases should verify whether their installation matches the vulnerable version range and consider the impact of privileged API token misuse.", "description_and_impact": "Cube, a semantic data layer for building applications, contains a flaw that allows a user with a valid API token to execute a specially crafted request that elevates their privileges. The vulnerability follows the CWE\u2011807 \u201cPrivilege Escalation by Insufficient Authorization Checks\u201d pattern and is described as a direct elevation of privileges, not a general remote code execution or denial\u2011of\u2011service condition.", "risk_and_exploitability": "The CVSS score of 7.7 indicates medium\u2011to\u2011high severity, and the EPSS score of less than 1% suggests that exploitation occurs with low probability as of the measured data. The vulnerability is not listed in the CISA KEV catalog, implying it has not yet been widely exploited in the wild. Attackers would need a valid API token to send the crafted request, indicating that the primary vector is authenticated API usage; however, because tokens can sometimes be leaked or reused, the risk remains significant for systems with broad token scopes. The lack of a known workaround emphasizes the importance of applying the vendor\u2019s patched releases to mitigate this privileged contention."}}}}, "created": "2026-02-10T11:34:50.811442+00:00", "updated": "2026-04-17T21:15:27.373462+00:00", "vendors": ["cube-js", "cube-js$PRODUCT$cube"]}