CVE-2026-25958

Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14.

Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14.

### **Impact** It is possible to make a specially crafted request with a valid API token that leads to privilege escalation. ### Affected Versions: `≥= 0.27.19` ### Mitigation: Upgrade to a patched version: - 1.5.13 and later (regular release) - 1.4.2 (active [LTS release](https://cube.dev/docs/product/administration/distribution#long-term-support)) - 1.0.14 (end-of-life LTS release) ### **References** The issue was reported by our Core engineer, Dmitrii Patsura (@ovr), in our internal Slack and was promptly patched in a recent update.

### **Impact** It is possible to make a specially crafted request with a valid API token that leads to privilege escalation. ### Affected Versions: `≥= 0.27.19` ### Mitigation: Upgrade to a patched version: - 1.5.13 and later (regular release) - 1.4.2 (active [LTS release](https://cube.dev/docs/product/administration/distribution#long-term-support)) - 1.0.14 (end-of-life LTS release) ### **References** The issue was reported by our Core engineer, Dmitrii Patsura (@ovr), in our internal Slack and was promptly patched in a recent update.

Cube es una capa semántica para construir aplicaciones de datos. Desde 0.27.19 hasta antes de 1.5.13, 1.4.2 y 1.0.14, es posible realizar una solicitud especialmente diseñada con un token de API válido que conduce a una escalada de privilegios. Esta vulnerabilidad está corregida en 1.5.13, 1.4.2 y 1.0.14.