DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25958: The Cube Root of Chaos: Smuggling Admin Privileges via WebSocket Pollution

#security #cve #cybersecurity #ghsa

The Cube Root of Chaos: Smuggling Admin Privileges via WebSocket Pollution

Vulnerability ID: CVE-2026-25958
CVSS Score: 7.7
Published: 2026-02-10

Cube (formerly Cube.js) is the self-proclaimed 'semantic layer' for building data applications—a fancy way of saying it sits between your messy SQL databases and your pretty frontend charts. In versions prior to 1.5.13, Cube suffered from a catastrophic logic error in its WebSocket gateway and async handling.

By simply asking nicely (read: injecting a JSON object), a low-privileged user could override their own security context. Even worse, a race condition in the promise chain allowed user contexts to 'bleed' into one another, meaning your request for 'My Sales' might accidentally return 'competitor_sales' if the server was busy enough. This is a classic case of trusting client input combined with the distinct misery of Node.js event loop management.

TL;DR

An authenticated attacker can escalate privileges by injecting a securityContext object into WebSocket messages or triggering a race condition in the API gateway. This allows bypassing Row-Level Security (RLS) and multi-tenant isolation, granting full admin access or data visibility across tenants.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-807
  • Attack Vector: Network (WebSocket)
  • CVSS: 7.7 (High)
  • Impact: Privilege Escalation / Info Disclosure
  • Exploit Status: PoC Available
  • Fix Complexity: Low (Version Upgrade)

Affected Systems

  • Cube.js API Gateway
  • Cube Server Core
  • Node.js Semantic Layer implementations
  • Cube: 0.27.19 - < 1.0.14 (Fixed in: 1.0.14)
  • Cube: 1.1.0 - < 1.4.2 (Fixed in: 1.4.2)
  • Cube: 1.5.0 - < 1.5.13 (Fixed in: 1.5.13)

Code Analysis

Commit: 6271520

Fix: WebSocket message sanitization using Zod schemas

+ const LoadRequestSchema = z.object({ ... });
- const query = message.params;
Enter fullscreen mode Exit fullscreen mode

Commit: 9e9f9d1

Fix: Async boundary race conditions in gateway

- this.loadImpl(options, (err, res) => { ... });
+ await this.loadImpl(options);
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • NVD: Advisory details indicating WebSocket parameter pollution.
  • GitHub Security Advisory: Technical description of the context bleeding and pollution vectors.

Mitigation Strategies

  • Input Validation Hardening
  • Attack Surface Reduction
  • Concurrency Management

Remediation Steps:

  1. Update @cubejs-backend/server-core and related packages to version 1.5.13 or 1.4.2.
  2. Review custom security context middleware to ensure it does not merge user-supplied params.
  3. Set CUBEJS_WEB_SOCKETS=false if WebSocket transport is not strictly required.

References

Read the full report for CVE-2026-25958 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)