Skip to main content

Chartbrew EUVDEUVD-2026-26405

| CVE-2026-35514 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-04-30 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Source Code Evidence Fetched
Apr 30, 2026 - 19:15 vuln.today
Analysis Generated
Apr 30, 2026 - 19:15 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 19:00 euvd
EUVD-2026-26405
Analysis Generated
Apr 30, 2026 - 19:00 vuln.today
CVE Published
Apr 30, 2026 - 18:21 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoint directly to create a fully active account and receive a valid JWT - even when the instance has existing users and signupRestricted is enabled. This bypass is distinct from the normal registration endpoint (POST /user) which enforces signupRestricted and sets active: false pending verification. This issue has been patched in version 5.0.0.

AnalysisAI

Unauthenticated account creation in Chartbrew 4.9.0 allows any remote attacker to bypass signup restrictions and create a fully active account with valid JWT via the unprotected POST /user/invited endpoint, circumventing the signupRestricted configuration that normally blocks new registrations. An attacker receives a functional JWT token immediately without email verification, granting full authenticated access even when the instance restricts signups to invited users only. The vulnerability was patched in version 5.0.0.

Technical ContextAI

Chartbrew is an open-source web application that provides database and API connectivity for chart generation. The vulnerability exists in the user invitation endpoint (POST /user/invited), which is designed to accept invite tokens for authorized user registration but performs zero validation of authentication credentials, session tokens, or invite validity. Unlike the standard registration endpoint (POST /user), which respects the signupRestricted flag and sets new accounts to inactive pending email verification, the /user/invited endpoint creates fully active accounts with no preconditions. The root cause is improper access control (CWE-306) - the endpoint lacks authentication checks that should verify either a valid session, authentication header, or cryptographically signed invite token before account creation is allowed.

RemediationAI

Upgrade Chartbrew to version 5.0.0 or later immediately; the patch is confirmed in the official GitHub release at https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0. No manual data migration is required for users upgrading from Chartbrew 4.x. As a temporary workaround prior to patching, disable or restrict network access to the POST /user/invited endpoint at the reverse proxy or firewall level, or implement IP-based access controls limiting endpoint access to trusted invite-generation systems only - however, this is not a substitute for patching as it may break legitimate invite functionality. Review the GitHub security advisory at https://github.com/chartbrew/chartbrew/security/advisories/GHSA-g47g-v5cp-j8hp for technical details on the fix. Audit logs for any suspicious POST requests to /user/invited prior to patching to identify potential unauthorized account creation.

CVE-2026-27005 CRITICAL POC
9.8 Mar 06

SQL injection in Chartbrew before 4.8.3. PoC available.

CVE-2026-25888 HIGH POC
8.8 Mar 06

Remote code execution in Chartbrew prior to version 4.8.1 allows authenticated attackers to execute arbitrary code throu

CVE-2026-27603 HIGH POC
7.5 Mar 06

Chartbrew versions up to 4.8.4 is affected by missing authentication for critical function (CVSS 7.5).

CVE-2026-25887 HIGH POC
7.2 Mar 06

Remote code execution in Chartbrew versions prior to 4.8.1 allows authenticated attackers with high privileges to execut

CVE-2026-25877 MEDIUM POC
6.5 Mar 06

Chartbrew versions before 4.8.1 fail to validate chart ownership during modification operations, allowing authenticated

CVE-2026-27605 MEDIUM POC
6.3 Mar 06

Chartbrew versions prior to 4.8.4 allow authenticated users to upload arbitrary files by bypassing file type validation,

CVE-2026-40600 HIGH
8.1 Apr 30

Authenticated users in Chartbrew 4.9.0 can modify or delete dashboard sharing policies across projects they don't own du

CVE-2026-40904 HIGH
8.1 Apr 30

Horizontal privilege escalation in Chartbrew 4.9.0 allows authenticated low-privilege team members to access datasets, d

CVE-2026-30232 HIGH
7.8 Apr 10

Server-Side Request Forgery in Chartbrew versions prior to 4.8.5 allows authenticated users to create API data connectio

CVE-2026-32252 HIGH
7.7 Apr 10

Cross-tenant authorization bypass in Chartbrew versions prior to 4.9.0 allows authenticated attackers to exfiltrate sens

CVE-2026-40601 HIGH
7.5 Apr 30

Unauthenticated remote attackers can access and refresh private chart data in Chartbrew 4.9.0 via an exposed API endpoin

CVE-2026-40595 HIGH
7.5 Apr 30

Chartbrew 4.9.0 allows unauthenticated attackers to access hidden chart data via authentication bypass in public chart e

Share

EUVD-2026-26405 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy