Cube Core is vulnerable to privilege escalation via a specially crafted request
- Severity:
- High
Description
It is possible to make a specially crafted request with a valid API token that leads to privilege escalation.
Recommendation
Update the @cubejs-backend/server-core package to the latest compatible version. Followings are version details:
Affected version(s): **>= 1.5.0, < 1.5.13 >= 1.1.0, < 1.4.2 >= 0.27.19, < 1.0.14** Patched version(s): **1.5.13 1.4.2 1.0.14**
References
Related Issues
- Cube Core is vulnerable to Denial of Service (DoS) via crafted request - CVE-2026-25957
- TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update - CVE-2025-60542
- StudioCMS has Privilege Escalation via Insecure API Token Generation - CVE-2026-30944
- Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL - CVE-2026-31871
- Tags:
- npm
- @cubejs-backend/server-core
Anything's wrong? Let us know Last updated on February 10, 2026