CVE-2026-25958 in cube
Summary
by MITRE • 02/10/2026
Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/19/2026
The vulnerability identified as CVE-2026-25958 affects Cube, a semantic layer designed for building data applications that enables developers to create complex data models and analytics dashboards. This security flaw exists across multiple version ranges including 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, representing a significant concern for organizations relying on this data infrastructure tool. The vulnerability manifests through a specific attack vector where malicious actors can construct specially crafted requests that leverage valid API tokens to achieve unauthorized privilege escalation.
The technical implementation of this vulnerability stems from inadequate access control mechanisms within Cube's authentication and authorization framework. When legitimate API tokens are used in conjunction with crafted request parameters, the system fails to properly validate the request context and user permissions, allowing attackers to elevate their privileges beyond what their original token permissions should permit. This represents a classic privilege escalation flaw that operates at the application layer, potentially enabling unauthorized users to access restricted data sets, modify system configurations, or perform administrative functions.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it can compromise the integrity and confidentiality of data applications built on the Cube platform. Organizations utilizing affected versions may experience unauthorized data exposure, potential data manipulation, and the possibility of complete system compromise if attackers can leverage this privilege escalation to gain administrative control. The vulnerability affects the core security model of the platform, undermining trust in the authentication system and potentially exposing sensitive business intelligence and operational data.
From a cybersecurity perspective, this vulnerability aligns with CWE-276, which describes improper privilege management, and represents a critical weakness in the software's access control implementation. The ATT&CK framework categorizes this as privilege escalation techniques, specifically targeting the T1068 privilege escalation sub-technique. Organizations should immediately implement mitigations including upgrading to the fixed versions 1.5.13, 1.4.2, and 1.0.14, while also conducting thorough security audits of their Cube implementations. Additional protective measures such as monitoring for unusual API token usage patterns, implementing stricter API request validation, and conducting regular privilege access reviews should be considered to reduce the attack surface and prevent exploitation of this vulnerability.