Chartbrew, an open‑source web application that connects to databases and APIs, contains an authentication bypass in the POST /project/:project_id/chart/:chart_id/filter endpoint. The endpoint lacks verifyToken and checkPermissions middleware, allowing any requester to execute the filter and retrieve chart data without authentication. This flaw is an example of CWE‑306, where missing authentication checks permit unauthorized access. Accordingly, an attacker can read chart information from any team or project, potentially revealing sensitive data. The vulnerability is classified as high severity with a CVSS score of 8.7 and is identified as a remote unauthenticated data disclosure.

Any deployment of Chartbrew running a version prior to 4.8.4 is vulnerable. The affected product is Chartbrew, developed by Depomo, which is distributed as an open‑source web application. Users must verify the installed version; installations with versions older than 4.8.4 must be considered at risk. No specific operating system or environment constraints are noted; the flaw lies in the application’s routing logic.

With a CVSS score of 8.7 the flaw presents a high risk to confidentiality, and the EPSS score of less than 1% indicates that external exploitation is low at present. However, the attack involves a simple unauthenticated HTTP POST request with minimal prerequisites, and the flaw is not mitigated by any additional controls. Because it is not listed in CISA’s KEV catalog, it has not been reported as a known exploited vulnerability yet, but its high severity and lack of authentication underscore the importance of remediation. The attack vector is remote, performed over HTTP/HTTPS by submitting a request to the vulnerable endpoint; the attacker does not need to be authenticated or have any prior access.