Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionGitHub Advisory
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoint directly to create a fully active account and receive a valid JWT - even when the instance has existing users and signupRestricted is enabled. This bypass is distinct from the normal registration endpoint (POST /user) which enforces signupRestricted and sets active: false pending verification. This issue has been patched in version 5.0.0.
AnalysisAI
Unauthenticated account creation in Chartbrew 4.9.0 allows any remote attacker to bypass signup restrictions and create a fully active account with valid JWT via the unprotected POST /user/invited endpoint, circumventing the signupRestricted configuration that normally blocks new registrations. An attacker receives a functional JWT token immediately without email verification, granting full authenticated access even when the instance restricts signups to invited users only. The vulnerability was patched in version 5.0.0.
Technical ContextAI
Chartbrew is an open-source web application that provides database and API connectivity for chart generation. The vulnerability exists in the user invitation endpoint (POST /user/invited), which is designed to accept invite tokens for authorized user registration but performs zero validation of authentication credentials, session tokens, or invite validity. Unlike the standard registration endpoint (POST /user), which respects the signupRestricted flag and sets new accounts to inactive pending email verification, the /user/invited endpoint creates fully active accounts with no preconditions. The root cause is improper access control (CWE-306) - the endpoint lacks authentication checks that should verify either a valid session, authentication header, or cryptographically signed invite token before account creation is allowed.
RemediationAI
Upgrade Chartbrew to version 5.0.0 or later immediately; the patch is confirmed in the official GitHub release at https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0. No manual data migration is required for users upgrading from Chartbrew 4.x. As a temporary workaround prior to patching, disable or restrict network access to the POST /user/invited endpoint at the reverse proxy or firewall level, or implement IP-based access controls limiting endpoint access to trusted invite-generation systems only - however, this is not a substitute for patching as it may break legitimate invite functionality. Review the GitHub security advisory at https://github.com/chartbrew/chartbrew/security/advisories/GHSA-g47g-v5cp-j8hp for technical details on the fix. Audit logs for any suspicious POST requests to /user/invited prior to patching to identify potential unauthorized account creation.
SQL injection in Chartbrew before 4.8.3. PoC available.
Remote code execution in Chartbrew prior to version 4.8.1 allows authenticated attackers to execute arbitrary code throu
Chartbrew versions up to 4.8.4 is affected by missing authentication for critical function (CVSS 7.5).
Remote code execution in Chartbrew versions prior to 4.8.1 allows authenticated attackers with high privileges to execut
Chartbrew versions before 4.8.1 fail to validate chart ownership during modification operations, allowing authenticated
Chartbrew versions prior to 4.8.4 allow authenticated users to upload arbitrary files by bypassing file type validation,
Authenticated users in Chartbrew 4.9.0 can modify or delete dashboard sharing policies across projects they don't own du
Horizontal privilege escalation in Chartbrew 4.9.0 allows authenticated low-privilege team members to access datasets, d
Server-Side Request Forgery in Chartbrew versions prior to 4.8.5 allows authenticated users to create API data connectio
Cross-tenant authorization bypass in Chartbrew versions prior to 4.9.0 allows authenticated attackers to exfiltrate sens
Unauthenticated remote attackers can access and refresh private chart data in Chartbrew 4.9.0 via an exposed API endpoin
Chartbrew 4.9.0 allows unauthenticated attackers to access hidden chart data via authentication bypass in public chart e
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26405