GHSA-v226-32c7-x2v7

Source

https://github.com/advisories/GHSA-v226-32c7-x2v7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-v226-32c7-x2v7/GHSA-v226-32c7-x2v7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-v226-32c7-x2v7

Aliases

CVE-2026-25958

Published

2026-02-10T00:29:07Z

Modified

2026-02-22T23:25:43.580372Z

Severity

7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator

Summary

Cube Core is vulnerable to privilege escalation via a specially crafted request

Details

Impact

It is possible to make a specially crafted request with a valid API token that leads to privilege escalation.

Affected Versions:

≥= 0.27.19

Mitigation:

Upgrade to a patched version:

1.5.13 and later (regular release)
1.4.2 (active LTS release)
1.0.14 (end-of-life LTS release)

References

The issue was reported by our Core engineer, Dmitrii Patsura (@ovr), in our internal Slack and was promptly patched in a recent update.

Database specific

{
    "nvd_published_at": "2026-02-09T23:16:06Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-807"
    ],
    "github_reviewed_at": "2026-02-10T00:29:07Z",
    "severity": "HIGH"
}

References

Affected packages

npm / @cubejs-backend/server-core

Package

Name: @cubejs-backend/server-core; View open source insights on deps.dev
Purl: pkg:npm/%40cubejs-backend/server-core

Affected ranges

Type: SEMVER
Events: Introduced

0.27.19

Fixed

1.0.14

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-v226-32c7-x2v7/GHSA-v226-32c7-x2v7.json"

npm / @cubejs-backend/server-core

Package

Name: @cubejs-backend/server-core; View open source insights on deps.dev
Purl: pkg:npm/%40cubejs-backend/server-core

Affected ranges

Type: SEMVER
Events: Introduced

1.1.0

Fixed

1.4.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-v226-32c7-x2v7/GHSA-v226-32c7-x2v7.json"

npm / @cubejs-backend/server-core

Package

Name: @cubejs-backend/server-core; View open source insights on deps.dev
Purl: pkg:npm/%40cubejs-backend/server-core

Affected ranges

Type: SEMVER
Events: Introduced

1.5.0

Fixed

1.5.13

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-v226-32c7-x2v7/GHSA-v226-32c7-x2v7.json"