CVE-2026-25958: Cube Core is vulnerable to privilege escalation via a specially crafted request

February 10, 2026

<strong>Impact</strong>

It is possible to make a specially crafted request with a valid API token that leads to privilege escalation.

Affected Versions:

≥= 0.27.19

Mitigation:

Upgrade to a patched version:

1.5.13 and later (regular release)
1.4.2 (active LTS release)
1.0.14 (end-of-life LTS release)

<strong>References</strong>

The issue was reported by our Core engineer, Dmitrii Patsura (@ovr), in our internal Slack and was promptly patched in a recent update.

References

github.com/advisories/GHSA-v226-32c7-x2v7
github.com/cube-js/cube
github.com/cube-js/cube/security/advisories/GHSA-v226-32c7-x2v7
nvd.nist.gov/vuln/detail/CVE-2026-25958

Code Behaviors & Features

Detect and mitigate CVE-2026-25958 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →