Chartbrew is an open‑source analytics platform that allows users to connect databases and APIs to generate charts. In version 4.9.0 the API exposed public chart retrieval and export endpoints that only checked whether the enclosing project was marked public, and for exports verified a generic team‑level toggle. However, the endpoints failed to confirm whether the individual chart was intended for public display or whether the SharePolicy explicitly granted public access. As a result, an attacker, even without authentication, could supply a known chart identifier and read or download chart data that should have remained hidden. The weakness is an improper access control flaw (CWE‑284) that leads to unauthorized disclosure of chart data.

Chartbrew’s open‑source web application. The vulnerability exists in any GitHub project using Chartbrew version 4.9.0 or earlier. It was resolved in the subsequent release, version 5.0.0.

The CVSS score of 7.5 indicates a high‑severity risk. The lack of an EPSS score means no published probability estimate is available, but the vulnerability was publicly disclosed and has been addressed by the vendor. The issue can be exploited simply by sending HTTP requests to the public chart or export endpoints with a guessed chart identifier, which is feasible for an unauthenticated attacker. Because the flaw resides in the back‑end logic and does not require privileged user credentials, the likely attack vector is remote network access over HTTP/HTTPS. The vulnerability has not been listed in the CISA KEV catalog, yet its high impact and ease of exploitation warrant immediate remediation if the affected version is in use.