Cube, a semantic data layer for building applications, contains a flaw that allows a user with a valid API token to execute a specially crafted request that elevates their privileges. The vulnerability follows the CWE‑807 “Privilege Escalation by Insufficient Authorization Checks” pattern and is described as a direct elevation of privileges, not a general remote code execution or denial‑of‑service condition.

Cube version 0.27.19 up to, but not including, 1.5.13, 1.4.2, and 1.0.14 are affected. Users running any of these supported releases should verify whether their installation matches the vulnerable version range and consider the impact of privileged API token misuse.

The CVSS score of 7.7 indicates medium‑to‑high severity, and the EPSS score of less than 1% suggests that exploitation occurs with low probability as of the measured data. The vulnerability is not listed in the CISA KEV catalog, implying it has not yet been widely exploited in the wild. Attackers would need a valid API token to send the crafted request, indicating that the primary vector is authenticated API usage; however, because tokens can sometimes be leaked or reused, the risk remains significant for systems with broad token scopes. The lack of a known workaround emphasizes the importance of applying the vendor’s patched releases to mitigate this privileged contention.