Cyber Posture

CVE-2026-25958

High

Published: 09 February 2026

Published
09 February 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0002 6.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25958 is a high-severity Reliance on Untrusted Inputs in a Security Decision (CWE-807) vulnerability in Cube Cube.Js. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match
prevent

Enforces least privilege to prevent low-privilege API token holders from escalating access through specially crafted requests.

AC-3 Access Enforcement good match
prevent

Enforces approved access authorizations to block privilege escalation resulting from flawed handling of crafted API requests.

SI-10 Information Input Validation partial match
prevent

Validates information inputs from API requests to mitigate exploitation of specially crafted inputs leading to privilege escalation.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

The CVE is explicitly a post-authentication privilege escalation vulnerability (PR:L via valid API token) that is directly exploitable over the network, matching T1068 Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed…

more

in 1.5.13, 1.4.2, and 1.0.14.

Deeper analysisAI

CVE-2026-25958 is a privilege escalation vulnerability in Cube, a semantic layer for building data applications. It affects versions from 0.27.19 up to but excluding 1.5.13, 1.4.2, and 1.0.14, where a specially crafted request using a valid API token can be made to escalate privileges. The issue carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) and is categorized under CWE-807.

An authenticated attacker with low privileges (PR:L), such as one holding a valid API token, can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation changes scope and results in high confidentiality impact, enabling the attacker to escalate privileges and access sensitive data that would otherwise be restricted.

Cube has addressed this vulnerability in versions 1.5.13, 1.4.2, and 1.0.14. Additional details on the issue and remediation are available in the GitHub security advisory at https://github.com/cube-js/cube/security/advisories/GHSA-v226-32c7-x2v7.

Details

CWE(s)
CWE-807

Affected Products

cube
cube.js
0.27.19 — 1.0.14 · 1.1.0 — 1.4.2 · 1.5.0 — 1.5.13

CVEs Like This One

CVE-2025-1126Shared CWE-807
CVE-2026-41299Shared CWE-807
CVE-2026-32057Shared CWE-807
CVE-2026-20849Shared CWE-807
CVE-2026-21514Shared CWE-807
CVE-2026-29134Shared CWE-807
CVE-2026-41380Shared CWE-807
CVE-2024-13974Shared CWE-807
CVE-2026-21509Shared CWE-807
CVE-2025-13926Shared CWE-807

References