Description
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:team_id/template/generate/:project_id. The GET handler calls checkAccess(req, "updateAny", "chart") without awaiting the returned promise, and it does not verify that the supplied project_id belongs to req.params.team_id or to the caller's team. As a result, an authenticated attacker with valid template-generation permissions in their own team can request the template model for a project belonging to another team and receive victim project data. This vulnerability is fixed in 4.9.0.
Published: 2026-04-10
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Disclosure
Action: Immediate Patch
AI Analysis

Impact

Chartbrew contains a cross‑tenant authorization bypass in the GET /team/:team_id/template/generate/:project_id endpoint. An authenticated attacker with the template‑generation permission in their own team can request the template for a project that belongs to another team and obtain the full template model, which may include database credentials or other secrets. This flaw is an example of Improper Authorization (CWE‑285).

Affected Systems

The vulnerability affects all releases of the open‑source Chartbrew application prior to version 4.9.0. Any deployment running 4.8.x or earlier is vulnerable whenever a user has the ability to generate templates in their own tenant, regardless of the team the target project belongs to.

Risk and Exploitability

The CVSS score of 7.7 reflects high severity due to the potential exposure of confidential data. The EPSS score is below 1 %, indicating that automated exploitation is currently unlikely, and the flaw is not listed in the CISA KEV catalog. Based on the description, we infer that the attacker can trigger the vulnerability by sending an HTTP GET request to the vulnerable endpoint while authenticated; the attack requires no elevated privileges or network access beyond normal user rights. Successfully exploiting the bug allows the attacker to read sensitive project data from another tenant.

Generated by OpenCVE AI on April 14, 2026 at 21:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chartbrew to version 4.9.0 or later.
  • If a patch is not yet available, restrict access to the GET /team/:team_id/template/generate/:project_id endpoint so that only users who own or are explicitly authorized for the target project can access it.
  • Revoke the 'updateAny' permission from users who do not require broad template‑generation capabilities.
  • Verify that the checkAccess promise is awaited and that supplied project IDs are validated against the requesting team in the source code.

Generated by OpenCVE AI on April 14, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Depomo
Depomo chartbrew
CPEs cpe:2.3:a:depomo:chartbrew:*:*:*:*:*:*:*:*
Vendors & Products Depomo
Depomo chartbrew

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Chartbrew
Chartbrew chartbrew
Vendors & Products Chartbrew
Chartbrew chartbrew

Fri, 10 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:team_id/template/generate/:project_id. The GET handler calls checkAccess(req, "updateAny", "chart") without awaiting the returned promise, and it does not verify that the supplied project_id belongs to req.params.team_id or to the caller's team. As a result, an authenticated attacker with valid template-generation permissions in their own team can request the template model for a project belonging to another team and receive victim project data. This vulnerability is fixed in 4.9.0.
Title Chartbrew Cross-Tenant Template Export and Secret Disclosure in `GET /team/:team_id/template/generate/:project_id`
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Chartbrew Chartbrew
Depomo Chartbrew
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T15:35:52.178Z

Reserved: 2026-03-11T14:47:05.686Z

Link: CVE-2026-32252

cve-icon Vulnrichment

Updated: 2026-04-13T15:23:40.288Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T20:16:21.793

Modified: 2026-04-14T17:25:25.940

Link: CVE-2026-32252

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:00:07Z

Weaknesses