Description
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoint directly to create a fully active account and receive a valid JWT — even when the instance has existing users and signupRestricted is enabled. This bypass is distinct from the normal registration endpoint (POST /user) which enforces signupRestricted and sets active: false pending verification. This issue has been patched in version 5.0.0.
Published: 2026-04-30
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the POST /user/invited endpoint of Chartbrew fails to validate an invite token, authentication header, or session. This is a CWE-306 (Improper Authentication) vulnerability that allows an unauthenticated attacker to create a fully active account and obtain a valid JSON Web Token, even when the application is configured with existing users and signup restrictions enabled. The vulnerability permits bypassing the normal registration flow that normally queues new users for verification, resulting in elevation of privileges and potential unauthorized access to protected resources.

Affected Systems

Chartbrew chartbrew is affected, specifically versions 4.9.0 and earlier that rely on the unpatched /user/invited endpoint. The fix was released in version 5.0.0, so any deployment running a version older than 5.0.0 is vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation data. The attack can be carried out remotely by sending an HTTP POST request to /user/invited from any network location. Successful exploitation grants a fresh fully‑activated account and a bearer token, enabling direct, authenticated access to the application.

Generated by OpenCVE AI on May 2, 2026 at 00:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chartbrew to version 5.0.0 or newer, which implements proper invite token and authentication checks for the /user/invited endpoint.
  • If an upgrade is not immediately possible, block or disable the /user/invited endpoint for unauthenticated traffic using a firewall rule or reverse‑proxy configuration.
  • Ensure the application is configured to require valid authentication headers or tokens for all account‑creation routes, reducing the risk of similar bypasses in future releases.

Generated by OpenCVE AI on May 2, 2026 at 00:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Chartbrew
Chartbrew chartbrew
Vendors & Products Chartbrew
Chartbrew chartbrew

Thu, 30 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoint directly to create a fully active account and receive a valid JWT — even when the instance has existing users and signupRestricted is enabled. This bypass is distinct from the normal registration endpoint (POST /user) which enforces signupRestricted and sets active: false pending verification. This issue has been patched in version 5.0.0.
Title Unauthenticated Account Registration via /user/invited Bypasses All Signup Restrictions in Chartbrew
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Chartbrew Chartbrew
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-01T16:38:31.525Z

Reserved: 2026-04-03T02:15:39.280Z

Link: CVE-2026-35514

cve-icon Vulnrichment

Updated: 2026-05-01T16:38:26.951Z

cve-icon NVD

Status : Deferred

Published: 2026-04-30T19:16:09.217

Modified: 2026-05-01T15:31:02.467

Link: CVE-2026-35514

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:30:16Z

Weaknesses