Description
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using request-promise without any IP address validation, enabling Server-Side Request Forgery attacks against internal networks and cloud metadata endpoints. This vulnerability is fixed in 4.8.5.
Published: 2026-04-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Server-Side Request Forgery
Action: Patch Immediately
AI Analysis

Impact

Chartbrew allows authenticated users to create API data connections by entering arbitrary URLs. Because the server fetches those URLs without validating the IP address, users can direct the application to internal or cloud metadata services. This server‐side request forgery can expose sensitive data, such as internal network hosts or cloud credentials, and can be leveraged for further attacks. The vulnerability is classified as CWE‑918.

Affected Systems

The vulnerability exists in Chartbrew versions prior to 4.8.5. Any deployment of the open‑source Chartbrew product before that release is potentially impacted.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. The EPSS score is below 1%, suggesting low exploitation probability in the wild. The vulnerability is not listed in CISA's KEV catalog. Attackers need valid authentication to the Chartbrew instance and must have network connectivity to the targeted internal or cloud endpoint. Once the SSRF is triggered, the attacker can read responses from those endpoints, gaining confidentiality and potentially availability impact if repeated requests overload internal services.

Generated by OpenCVE AI on April 14, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chartbrew to version 4.8.5 or later.

Generated by OpenCVE AI on April 14, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Depomo
Depomo chartbrew
CPEs cpe:2.3:a:depomo:chartbrew:*:*:*:*:*:*:*:*
Vendors & Products Depomo
Depomo chartbrew
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Chartbrew
Chartbrew chartbrew
Vendors & Products Chartbrew
Chartbrew chartbrew

Fri, 10 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using request-promise without any IP address validation, enabling Server-Side Request Forgery attacks against internal networks and cloud metadata endpoints. This vulnerability is fixed in 4.8.5.
Title Chartbrew has SSRF in API Data Connection - No IP Validation on User-Provided URLs
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Chartbrew Chartbrew
Depomo Chartbrew
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T15:07:30.227Z

Reserved: 2026-03-04T17:23:59.798Z

Link: CVE-2026-30232

cve-icon Vulnrichment

Updated: 2026-04-15T15:07:20.724Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T20:16:21.323

Modified: 2026-04-14T17:26:55.467

Link: CVE-2026-30232

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:00:07Z

Weaknesses