Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:team_id/template/generate/:project_id. The GET handler calls checkAccess(req, "updateAny", "chart") without awaiting the returned promise, and it does not verify that the supplied project_id belongs to req.params.team_id or to the caller's team. As a result, an authenticated attacker with valid template-generation permissions in their own team can request the template model for a project belonging to another team and receive victim project data. This vulnerability is fixed in 4.9.0.
AnalysisAI
Cross-tenant authorization bypass in Chartbrew versions prior to 4.9.0 allows authenticated attackers to exfiltrate sensitive project data from other tenants. The vulnerability exists in the template generation endpoint (GET /team/:team_id/template/generate/:project_id), where unawaited promise execution and missing tenant validation enable attackers with valid template-generation permissions in their own team to access chart configurations, database connection details, and query structures from victim teams' projects. No public exploit identified at time of analysis. CVSS 7.7 reflects high confidentiality impact with scope change due to cross-tenant boundary violation.
Technical ContextAI
CWE-285 improper authorization stems from race condition in asynchronous access control. The checkAccess(req, "updateAny", "chart") promise executes without await keyword, causing handler to proceed before authorization completes. Missing ownership verification between project_id and team_id parameters allows arbitrary project access. Scope change (S:C) in CVSS vector reflects privilege escalation across tenant boundaries in multi-tenant architecture.
RemediationAI
Vendor-released patch: version 4.9.0. Organizations running Chartbrew must immediately upgrade to version 4.9.0 or later, which implements synchronous await on authorization checks and adds project-to-team ownership validation. The fix is available via commit bf5919043d3587fcbe76123aaabd9a0a9d1033f1. As temporary mitigation, restrict template generation permissions to trusted users only and audit access logs for suspicious cross-team project access attempts. No effective workaround exists without upgrading. Full security advisory: https://github.com/chartbrew/chartbrew/security/advisories/GHSA-mw4f-cf22-qpcj. Verify tenant isolation after patching by testing project access controls across team boundaries.
SQL injection in Chartbrew before 4.8.3. PoC available.
Remote code execution in Chartbrew prior to version 4.8.1 allows authenticated attackers to execute arbitrary code throu
Chartbrew versions up to 4.8.4 is affected by missing authentication for critical function (CVSS 7.5).
Remote code execution in Chartbrew versions prior to 4.8.1 allows authenticated attackers with high privileges to execut
Chartbrew versions before 4.8.1 fail to validate chart ownership during modification operations, allowing authenticated
Chartbrew versions prior to 4.8.4 allow authenticated users to upload arbitrary files by bypassing file type validation,
Authenticated users in Chartbrew 4.9.0 can modify or delete dashboard sharing policies across projects they don't own du
Horizontal privilege escalation in Chartbrew 4.9.0 allows authenticated low-privilege team members to access datasets, d
Server-Side Request Forgery in Chartbrew versions prior to 4.8.5 allows authenticated users to create API data connectio
Unauthenticated remote attackers can access and refresh private chart data in Chartbrew 4.9.0 via an exposed API endpoin
Chartbrew 4.9.0 allows unauthenticated attackers to access hidden chart data via authentication bypass in public chart e
Unauthenticated account creation in Chartbrew 4.9.0 allows any remote attacker to bypass signup restrictions and create
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21553