logo

Database

Lack of data validation - Trust boundary violation In @cubejs-backend/server-core

Description

Cube Core is vulnerable to privilege escalation via a specially crafted request

Impact

It is possible to make a specially crafted request with a valid API token that leads to privilege escalation.

Affected Versions:

≥= 0.27.19

Mitigation:

Upgrade to a patched version:

    1.5.13 and later (regular release)

    1.4.2 (active LTS release)

    1.0.14 (end-of-life LTS release)

References

The issue was reported by our Core engineer, Dmitrii Patsura (@ovr), in our internal Slack and was promptly patched in a recent update.

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-259582. NVD-2026-259583. OSV-2026-259584. GHSA-v226-32c7-x2v75. GCVE-2026-25958

References

1. https://github.com/cube-js/cube/security/advisories/GHSA-v226-32c7-x2v7

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.