CVE-2026-32252
HIGHChartbrew Cross-Tenant Template Export and Secret Disclosure in `GET /team/:team_id/template/generate/:project_id`
Title source: cnaDescription
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:team_id/template/generate/:project_id. The GET handler calls checkAccess(req, "updateAny", "chart") without awaiting the returned promise, and it does not verify that the supplied project_id belongs to req.params.team_id or to the caller's team. As a result, an authenticated attacker with valid template-generation permissions in their own team can request the template model for a project belonging to another team and receive victim project data. This vulnerability is fixed in 4.9.0.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/chartbrew/chartbrew/security/advisories/GHSA-mw4f-cf22-qpcj
X_Refsource_Misc x_refsource_misc
https://github.com/chartbrew/chartbrew/commit/bf5919043d3587fcbe76123aaabd9a0a9d1033f1
Scores
CVSS v3
7.7
EPSS
0.0029
EPSS Percentile
20.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-285
Status
published
Products (2)
chartbrew/chartbrew
< 4.9.0
depomo/chartbrew
< 4.9.0
Published
Apr 10, 2026
Tracked Since
Apr 11, 2026