Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
5DescriptionGitHub Advisory
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes multiple dataset and dataRequest endpoints that authorize low-privileged project members at the team level instead of binding the requested dataset_id, dataRequest id, and connection_id to the caller's allowed projects. An authenticated attacker who only has access to one project inside a team can read, execute, create, update, and delete datasets and data requests that belong to other projects in the same team. The issue is exploitable remotely with ordinary project-level credentials and leads to cross-project data disclosure and unauthorized use of victim-side database or API connections. This issue has been patched in version 5.0.0.
AnalysisAI
Horizontal privilege escalation in Chartbrew 4.9.0 allows authenticated low-privilege team members to access datasets, data requests, and database connections belonging to other projects within the same team. Attackers with credentials to any single project can read, modify, create, and delete data assets across all sibling projects by exploiting missing project-level authorization checks on multiple API endpoints. This enables cross-project data exfiltration and unauthorized execution of victim database queries remotely with low complexity (EPSS not provided, no CISA KEV listing, vendor-patched in v5.0.0).
Technical ContextAI
Chartbrew is an open-source data visualization platform that connects to databases and APIs to generate charts. The vulnerability stems from CWE-284 (Improper Access Control) where the application performs authorization at the team membership level rather than validating project-specific ownership. The affected endpoints (dataset, dataRequest, connection management APIs) fail to bind the requested resource IDs (dataset_id, dataRequest_id, connection_id) to the authenticated caller's authorized project scope. This creates a horizontal privilege escalation condition where any valid team-level credential grants access to resources across all projects within that organizational boundary, bypassing intended project isolation.
RemediationAI
Upgrade to Chartbrew version 5.0.0 or later, released by the vendor to address this authorization flaw (https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0). The v5.0.0 release notes confirm migration from v4 requires no manual steps, though upgrading to Node.js v22+ is recommended. Until patching is complete, restrict team membership to only fully trusted users who should have access to all projects within the team, effectively treating team-level access as equivalent to cross-project access. Audit existing team configurations to identify users with access to multiple projects and review application logs for suspicious cross-project dataset or dataRequest API calls from accounts that should have limited project scope. Network segmentation or authentication proxy rules cannot effectively mitigate this flaw as it requires valid credentials; the only compensating control is limiting the trust boundary to match the team boundary until the patch is applied.
SQL injection in Chartbrew before 4.8.3. PoC available.
Remote code execution in Chartbrew prior to version 4.8.1 allows authenticated attackers to execute arbitrary code throu
Chartbrew versions up to 4.8.4 is affected by missing authentication for critical function (CVSS 7.5).
Remote code execution in Chartbrew versions prior to 4.8.1 allows authenticated attackers with high privileges to execut
Chartbrew versions before 4.8.1 fail to validate chart ownership during modification operations, allowing authenticated
Chartbrew versions prior to 4.8.4 allow authenticated users to upload arbitrary files by bypassing file type validation,
Authenticated users in Chartbrew 4.9.0 can modify or delete dashboard sharing policies across projects they don't own du
Server-Side Request Forgery in Chartbrew versions prior to 4.8.5 allows authenticated users to create API data connectio
Cross-tenant authorization bypass in Chartbrew versions prior to 4.9.0 allows authenticated attackers to exfiltrate sens
Unauthenticated remote attackers can access and refresh private chart data in Chartbrew 4.9.0 via an exposed API endpoin
Chartbrew 4.9.0 allows unauthenticated attackers to access hidden chart data via authentication bypass in public chart e
Unauthenticated account creation in Chartbrew 4.9.0 allows any remote attacker to bypass signup restrictions and create
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26411