Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionGitHub Advisory
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes a legacy dashboard route that returns a project's report data to any authenticated member of the same team, even when that user does not have access to the specific project. The route bypasses project-level authorization and returns the raw project object. As a result, a low-privileged same-team user can read another project's dashboard data and recover the project's stored report password from the response. This issue has been patched in version 5.0.0.
AnalysisAI
Chartbrew 4.9.0 fails to properly enforce project-level access controls on a legacy dashboard route, allowing any authenticated team member to read another team member's project report data and extract stored report passwords. The vulnerability affects users without explicit project access but with team membership, who can leverage the unprotected endpoint to view sensitive dashboard configurations and credentials. Patched in version 5.0.0.
Technical ContextAI
Chartbrew is an open-source data visualization platform that connects to databases and APIs to generate charts and dashboards. The vulnerability exists in a legacy API endpoint responsible for serving project dashboard data. The root cause is an authorization bypass (CWE-284: Improper Access Control) where the endpoint validates team membership but fails to verify project-level permissions. The endpoint returns the raw project object including sensitive fields such as stored report passwords. This is a common pattern in multi-tenant applications where endpoint-level access control neglects to implement role-based access control (RBAC) at the resource level, allowing horizontal privilege escalation within a team scope.
RemediationAI
Upgrade Chartbrew immediately to version 5.0.0 or later, which includes the authorization control patch. The upgrade path is straightforward for v4 users and does not require manual migration. If immediate upgrade is not feasible, restrict network access to the Chartbrew application to trusted internal users only, or implement reverse-proxy authentication requiring explicit project membership verification at the network layer. However, these workarounds do not address the underlying authorization flaw and should be considered temporary only. Monitor access logs for suspicious cross-project requests from low-privileged team members. See patch details and release notes at https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0 and security advisory at https://github.com/chartbrew/chartbrew/security/advisories/GHSA-6qr3-g75h-xm3f.
SQL injection in Chartbrew before 4.8.3. PoC available.
Remote code execution in Chartbrew prior to version 4.8.1 allows authenticated attackers to execute arbitrary code throu
Chartbrew versions up to 4.8.4 is affected by missing authentication for critical function (CVSS 7.5).
Remote code execution in Chartbrew versions prior to 4.8.1 allows authenticated attackers with high privileges to execut
Chartbrew versions before 4.8.1 fail to validate chart ownership during modification operations, allowing authenticated
Chartbrew versions prior to 4.8.4 allow authenticated users to upload arbitrary files by bypassing file type validation,
Authenticated users in Chartbrew 4.9.0 can modify or delete dashboard sharing policies across projects they don't own du
Horizontal privilege escalation in Chartbrew 4.9.0 allows authenticated low-privilege team members to access datasets, d
Server-Side Request Forgery in Chartbrew versions prior to 4.8.5 allows authenticated users to create API data connectio
Cross-tenant authorization bypass in Chartbrew versions prior to 4.9.0 allows authenticated attackers to exfiltrate sens
Unauthenticated remote attackers can access and refresh private chart data in Chartbrew 4.9.0 via an exposed API endpoin
Chartbrew 4.9.0 allows unauthenticated attackers to access hidden chart data via authentication bypass in public chart e
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26410