FIND-20260329-016 · 2026-03-29 · Innovation Veille

cube-js/cube — CVE-2026-25958 privilege escalation via crafted API token request

cve MEDIUM
CVE-2026-25958 (February 2026): Cube Core semantic layer versions 0.27.19 through <1.5.13, <1.4.2, <1.0.14 allow privilege escalation via a specially crafted request with a valid API token. Fixed in 1.5.13, 1.4.2, 1.0.14. Cube also has a non-standard license (NOASSERTION / Business Source License), limiting commercial use. 907 open issues and high complexity indicate maintenance burden.

Source

https://nvd.nist.gov/vuln/detail/CVE-2026-25958

ODS Impact

ODS Data Platform (P2) uses ClickHouse + Metabase for BI, not Cube. However, Cube is sometimes evaluated as an alternative semantic layer in front of ClickHouse. This CVE, combined with the non-standard license, makes Cube a poor choice for ODS. Metabase remains the recommended BI layer.

Security Review

License: NOASSERTION (BSL — not OSS) | Maintenance: ACTIVE | Risk: HIGH | Recommendation: DO_NOT_USE

Tags

cube cve privilege-escalation bi semantic-layer
Generated by ODS Innovation Veille · 2026-03-29T03:20:40+00:00