Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionGitHub Advisory
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes public chart retrieval and export routes that only verify project-level public access and, for exports, a team-level export toggle. The routes do not verify whether the target chart is actually allowed on the public report or whether the governing SharePolicy permits public access. An unauthenticated attacker who knows a chart identifier in a public project can read or export chart data for charts that were intentionally hidden from the report. This issue has been patched in version 5.0.0.
AnalysisAI
Chartbrew 4.9.0 allows unauthenticated attackers to access hidden chart data via authentication bypass in public chart export routes. Attackers who know a chart identifier in any public project can read or export charts that were intentionally excluded from public reports, bypassing SharePolicy access controls. The vulnerability requires only network access and a valid chart ID, with no authentication or user interaction needed. Patched in version 5.0.0 per vendor advisory GHSA-mq7q-6xh6-5649. No public exploit identified at time of analysis, though exploitation complexity is low (CVSS AC:L).
Technical ContextAI
Chartbrew is an open-source web application for database and API visualization. The vulnerability stems from improper access control (CWE-284) in HTTP routes handling public chart retrieval and export. The affected routes perform project-level public access verification and team-level export toggle checks, but fail to validate chart-level permissions via the SharePolicy mechanism. This creates an Insecure Direct Object Reference (IDOR) vulnerability where chart identifiers can be used to bypass intended access restrictions. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the flaw is exploitable remotely without authentication, low complexity, and requires no user interaction. The application uses Node.js and has been affected since at least version 4.9.0, with the fix introduced in version 5.0.0 through a comprehensive UI overhaul and codebase refactoring.
RemediationAI
Upgrade to Chartbrew version 5.0.0 or later immediately, available at https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0. The vendor confirms no manual migration required for v4 users, though updating to Node.js v22+ is recommended. The patch addresses the authentication bypass through improved access control validation in public chart routes. If immediate patching is not feasible, implement compensating controls: disable team-level export functionality in admin settings to prevent chart data exports (trade-off: legitimate export features unavailable to all users), restrict public project access entirely until patching (trade-off: breaks intended public dashboard functionality), or implement reverse proxy/WAF rules to block unauthenticated requests to chart export endpoints matching patterns /api/*/chart/*/export or similar (trade-off: requires precise endpoint mapping and may break legitimate public access if rules are too broad). Review application logs for suspicious chart access patterns from unauthenticated sources prior to patching. Rotate any sensitive data exposed through hidden charts if unauthorized access is suspected.
SQL injection in Chartbrew before 4.8.3. PoC available.
Remote code execution in Chartbrew prior to version 4.8.1 allows authenticated attackers to execute arbitrary code throu
Chartbrew versions up to 4.8.4 is affected by missing authentication for critical function (CVSS 7.5).
Remote code execution in Chartbrew versions prior to 4.8.1 allows authenticated attackers with high privileges to execut
Chartbrew versions before 4.8.1 fail to validate chart ownership during modification operations, allowing authenticated
Chartbrew versions prior to 4.8.4 allow authenticated users to upload arbitrary files by bypassing file type validation,
Authenticated users in Chartbrew 4.9.0 can modify or delete dashboard sharing policies across projects they don't own du
Horizontal privilege escalation in Chartbrew 4.9.0 allows authenticated low-privilege team members to access datasets, d
Server-Side Request Forgery in Chartbrew versions prior to 4.8.5 allows authenticated users to create API data connectio
Cross-tenant authorization bypass in Chartbrew versions prior to 4.9.0 allows authenticated attackers to exfiltrate sens
Unauthenticated remote attackers can access and refresh private chart data in Chartbrew 4.9.0 via an exposed API endpoin
Unauthenticated account creation in Chartbrew 4.9.0 allows any remote attacker to bypass signup restrictions and create
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26407