High severity7.7NVD Advisory· Published Apr 10, 2026· Updated Apr 14, 2026

CVE-2026-32252

Description

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:team_id/template/generate/:project_id. The GET handler calls checkAccess(req, "updateAny", "chart") without awaiting the returned promise, and it does not verify that the supplied project_id belongs to req.params.team_id or to the caller's team. As a result, an authenticated attacker with valid template-generation permissions in their own team can request the template model for a project belonging to another team and receive victim project data. This vulnerability is fixed in 4.9.0.

Affected products

Chartbrew/Chartbrew
cpe:2.3:a:depomo:chartbrew:*:*:*:*:*:*:*:*
Range: <4.9.0

Patches

bf5919043d35

https://github.com/chartbrew/chartbrewvia nvd-ref

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/chartbrew/chartbrew/commit/bf5919043d3587fcbe76123aaabd9a0a9d1033f1nvdPatch
github.com/chartbrew/chartbrew/security/advisories/GHSA-mw4f-cf22-qpcjnvdExploitMitigationVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.501
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000