Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionGitHub Advisory
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes POST /api/chart/:chart_id/query without authentication. The endpoint only checks team.allowReportRefresh and does not verify that the target chart belongs to a public report, that the project is public, or that sharing policy allows the operation. An unauthenticated attacker who knows a chart identifier can trigger a data refresh and retrieve the current data of private charts. This issue has been patched in version 5.0.0.
AnalysisAI
Unauthenticated remote attackers can access and refresh private chart data in Chartbrew 4.9.0 via an exposed API endpoint. The POST /api/chart/:chart_id/query endpoint lacks authentication checks and fails to validate whether charts belong to public reports or if sharing policies permit access. Attackers possessing a chart identifier can retrieve sensitive data from private dashboards without credentials. EPSS data not available. Not listed in CISA KEV. Vendor-confirmed vulnerability with patch released in version 5.0.0.
Technical ContextAI
Chartbrew is an open-source business intelligence and data visualization platform that connects to databases and APIs to generate charts and dashboards. The vulnerability stems from CWE-862 (Missing Authorization), where the application performs a privilege check (team.allowReportRefresh) but fails to implement proper authorization logic. The endpoint does not validate the relationship between the requested chart and public sharing settings, nor does it verify the authenticated identity of the requester. This broken access control allows direct object reference attacks where knowledge of a chart ID circumvents all access controls. The affected CPE is cpe:2.3:a:chartbrew:chartbrew:*:*:*:*:*:*:*:* indicating the core Chartbrew application. The CVSS vector AV:N/AC:L/PR:N/UI:N indicates a remotely accessible API endpoint with no complexity barriers and no authentication requirement.
RemediationAI
Upgrade to Chartbrew version 5.0.0 or later, released by the vendor and available at https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0. The release notes confirm no manual migration is required from v4 to v5, though Node.js v22+ is recommended. The patch addresses the missing authentication checks on the chart query endpoint. If immediate upgrade is not feasible, implement network-level access controls to restrict the /api/chart/ endpoint paths to authenticated users only via reverse proxy rules (nginx, Apache, or application firewall). This workaround prevents unauthenticated external access but may interfere with legitimate public report functionality if such features are in use. Alternatively, audit all chart identifiers for exposure in logs, analytics, or public-facing pages, and rotate identifiers if possible (requires application-level changes beyond standard configuration). Review sharing policies and team settings to ensure private charts are not inadvertently configured with team.allowReportRefresh enabled. The network restriction approach has minimal side effects for authenticated users but requires infrastructure changes; identifier rotation is operationally complex.
SQL injection in Chartbrew before 4.8.3. PoC available.
Remote code execution in Chartbrew prior to version 4.8.1 allows authenticated attackers to execute arbitrary code throu
Chartbrew versions up to 4.8.4 is affected by missing authentication for critical function (CVSS 7.5).
Remote code execution in Chartbrew versions prior to 4.8.1 allows authenticated attackers with high privileges to execut
Chartbrew versions before 4.8.1 fail to validate chart ownership during modification operations, allowing authenticated
Chartbrew versions prior to 4.8.4 allow authenticated users to upload arbitrary files by bypassing file type validation,
Authenticated users in Chartbrew 4.9.0 can modify or delete dashboard sharing policies across projects they don't own du
Horizontal privilege escalation in Chartbrew 4.9.0 allows authenticated low-privilege team members to access datasets, d
Server-Side Request Forgery in Chartbrew versions prior to 4.8.5 allows authenticated users to create API data connectio
Cross-tenant authorization bypass in Chartbrew versions prior to 4.9.0 allows authenticated attackers to exfiltrate sens
Chartbrew 4.9.0 allows unauthenticated attackers to access hidden chart data via authentication bypass in public chart e
Unauthenticated account creation in Chartbrew 4.9.0 allows any remote attacker to bypass signup restrictions and create
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26409