CVE-2026-25957: Cube Core is vulnerable to Denial of Service (DoS) via crafted request

February 10, 2026

<strong>Impact</strong>

It is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint.

Affected Versions:

>= 1.1.17

Mitigation:

Upgrade to a patched version:

1.5.13 and later (regular release)
1.4.2 (active LTS release)

<strong>References</strong>

The issue was reported by our Core engineer, Dmitrii Patsura (@ovr), in our internal Slack and was promptly patched in a recent update.

References

github.com/advisories/GHSA-9vph-2hvm-x66g
github.com/cube-js/cube
github.com/cube-js/cube/security/advisories/GHSA-9vph-2hvm-x66g
nvd.nist.gov/vuln/detail/CVE-2026-25957

Code Behaviors & Features

Detect and mitigate CVE-2026-25957 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →