Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
5DescriptionGitHub Advisory
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record that belongs to a different project. The affected routes authorize the caller against the project in the URL path, but they never verify that policy_id belongs to that project. This permits cross-project modification of dashboard sharing rules, including visibility, password requirements, allowed parameters, and expiration settings. This issue has been patched in version 5.0.0.
AnalysisAI
Authenticated users in Chartbrew 4.9.0 can modify or delete dashboard sharing policies across projects they don't own due to insufficient authorization checks. An attacker with legitimate access to one project can manipulate SharePolicy records (visibility settings, passwords, allowed parameters, expiration dates) for dashboards in any other project within the same Chartbrew instance. While CVSS rates this 8.1 HIGH, real-world risk depends heavily on multi-tenancy deployment: single-organization instances face lower insider threat exposure than multi-tenant SaaS scenarios. EPSS data not available. No public exploit identified at time of analysis, though exploitation requires only basic authenticated API access.
Technical ContextAI
This is an Insecure Direct Object Reference (IDOR) vulnerability (CWE-639: Authorization Bypass Through User-Controlled Key) in Chartbrew's SharePolicy management API. The application uses a web framework that authorizes API calls based on the project_id in the URL path but fails to validate that the policy_id parameter in the request body belongs to that same project. This broken object-level authorization allows horizontal privilege escalation across tenant boundaries. SharePolicy records control critical security functions for dashboard sharing: public visibility flags, password protection, parameter whitelisting, and time-based access expiration. The vulnerability exists in RESTful API endpoints (likely PUT/PATCH and DELETE routes) that accept both project_id (path parameter) and policy_id (body/query parameter) without cross-referencing them in the authorization layer.
RemediationAI
Upgrade immediately to Chartbrew version 5.0.0, released on the project's GitHub repository at https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0. According to the release notes, no manual migration is required and v4 users can update like any other version, though upgrading to Node.js v22+ is recommended. The fix implements proper authorization checks to verify that policy_id parameters belong to the project_id in the request path before allowing modification or deletion operations. For organizations unable to upgrade immediately, implement compensating controls at the reverse proxy or API gateway layer: add request validation middleware that queries the database to confirm policy_id ownership before forwarding PUT/PATCH/DELETE requests to SharePolicy endpoints (this adds latency and database load but prevents exploitation). Alternatively, restrict API access to SharePolicy routes using firewall rules or application-level ACLs to trusted administrator IPs only (this breaks legitimate multi-user workflows and is not sustainable long-term). Both workarounds are brittle and should be replaced with the official patch as soon as possible. Review SharePolicy audit logs for suspicious cross-project modifications between the 4.9.0 release date and your upgrade timestamp.
SQL injection in Chartbrew before 4.8.3. PoC available.
Remote code execution in Chartbrew prior to version 4.8.1 allows authenticated attackers to execute arbitrary code throu
Chartbrew versions up to 4.8.4 is affected by missing authentication for critical function (CVSS 7.5).
Remote code execution in Chartbrew versions prior to 4.8.1 allows authenticated attackers with high privileges to execut
Chartbrew versions before 4.8.1 fail to validate chart ownership during modification operations, allowing authenticated
Chartbrew versions prior to 4.8.4 allow authenticated users to upload arbitrary files by bypassing file type validation,
Horizontal privilege escalation in Chartbrew 4.9.0 allows authenticated low-privilege team members to access datasets, d
Server-Side Request Forgery in Chartbrew versions prior to 4.8.5 allows authenticated users to create API data connectio
Cross-tenant authorization bypass in Chartbrew versions prior to 4.9.0 allows authenticated attackers to exfiltrate sens
Unauthenticated remote attackers can access and refresh private chart data in Chartbrew 4.9.0 via an exposed API endpoin
Chartbrew 4.9.0 allows unauthenticated attackers to access hidden chart data via authentication bypass in public chart e
Unauthenticated account creation in Chartbrew 4.9.0 allows any remote attacker to bypass signup restrictions and create
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26408