Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25958.json",
"cwe_ids": [
"CWE-807"
],
"cna_assigner": "GitHub_M"
}{
"cpe": "cpe:2.3:a:cube:cube.js:*:*:*:*:*:node.js:*:*",
"source": "CPE_RANGE",
"extracted_events": [
{
"introduced": "0.27.19"
},
{
"fixed": "1.0.14"
},
{
"introduced": "1.1.0"
},
{
"fixed": "1.4.2"
},
{
"introduced": "1.5.0"
},
{
"fixed": "1.5.13"
}
]
}