Denial Of Service (DoS)

@cubejs-backend/server-core is vulnerable to Denial Of Service DoS. The vulnerability is due to improper handling of specially crafted requests to a Cube API endpoint, which allows an attacker to make the entire Cube API unavailable...

Privilege Escalation

@cubejs-backend/server-core is vulnerable to Privilege Escalation. The vulnerability is due to improper authorization validation of specially crafted requests using a valid API token, which allows an attacker to escalate privileges beyond their intended access level...

@cubejs-backend/server (>=1.5.0 <=1.5.12), @cubejs-backend/testing-drivers (>=1.5.0 <=1.5.12) potentially affected by CVE-2026-25958 via @cubejs-backend/server-core (>=1.5.0 <=1.5.12)

@cubejs-backend/server-core NPM version =1.5.0, =1.5.0, =1.5.0, =1.5.12 Source cves: CVE-2026-25958 Source advisory: OSV:GHSA-V226-32C7-X2V7...

@cubejs-backend/server (>=1.1.0 <=1.4.1), @cubejs-backend/testing-drivers (>=1.1.0 <=1.4.1) potentially affected by CVE-2026-25958 via @cubejs-backend/server-core (>=1.1.0 <=1.4.1)

@cubejs-backend/server-core NPM version =1.1.0, =1.1.0, =1.1.0, =1.4.1 Source cves: CVE-2026-25958 Source advisory: OSV:GHSA-V226-32C7-X2V7...

@cubejs-backend/server (>=1.5.0 <=1.5.12), @cubejs-backend/server-core (>=1.5.0 <=1.5.12) +1 more potentially affected by CVE-2026-25958 via @cubejs-backend/api-gateway (>=1.5.0 <=1.5.12)

@cubejs-backend/api-gateway NPM version =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.12 Source cves: CVE-2026-25958 Source advisory: SNYK:JS-CUBEJSBACKENDAPIGATEWAY-15265447...

@cubejs-backend/server (>=1.1.2 <=1.4.0), @cubejs-backend/server-core (>=1.1.2 <=1.4.0) +2 more potentially affected by CVE-2026-25957 via @cubejs-backend/api-gateway (>=1.1.17 <=1.4.0)

@cubejs-backend/api-gateway NPM version =1.1.17, =1.1.2, =1.1.2, =1.1.2, =1.4.0 - cubejs-backend-server-core-fork =1.1.3 Source cves: CVE-2026-25957 Source advisory: SNYK:JS-CUBEJSBACKENDAPIGATEWAY-15265448...

Denial Of Service (DoS)

@cubejs-backend/api-gateway is vulnerable to Denial Of Service DoS. The vulnerability exists in gateway.ts allowing an attacker to cause an application crash by submitting a crafted query...

SQL Injection

cubejs-backend/api-gateway is vulnerable to SQL Injection attacks. A specifically crafted attack statement through the /v1/sql-runner endpoint allows a malicious authenticated user to inject and execute arbitrary SQL queries on the target system...

Default Express middleware security check is ignored in production

Default Express middleware security check is ignored in production Impact All Cube.js deployments that use affected versions of @cubejs-backend/api-gateway with default express authentication middleware in production environment are affected. Patches @cubejs-backend/[email protected] Workaround...