{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/chartbrew/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-32252"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["chartbrew","authorization-bypass","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChartbrew, an open-source web application used for creating charts from databases and APIs, is vulnerable to a cross-tenant authorization bypass (CVE-2026-32252) in versions prior to 4.9.0. This vulnerability resides in the GET /team/:team_id/template/generate/:project_id endpoint. Specifically, the \u003ccode\u003echeckAccess\u003c/code\u003e function doesn\u0026rsquo;t await its promise and fails to validate if the \u003ccode\u003eproject_id\u003c/code\u003e belongs to the specified \u003ccode\u003eteam_id\u003c/code\u003e or the attacker\u0026rsquo;s team. This allows an authenticated attacker with template generation permissions in their own team to request and receive template model data for projects belonging to other teams. Upgrading to version 4.9.0 or later resolves this issue.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to a Chartbrew instance with valid credentials and template generation permissions within their own team.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a valid \u003ccode\u003eteam_id\u003c/code\u003e belonging to a victim team. This could be done through enumeration of team IDs, social engineering, or other means.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a valid \u003ccode\u003eproject_id\u003c/code\u003e belonging to the victim team. This may require some level of prior knowledge or reconnaissance.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a GET request to \u003ccode\u003e/team/:victim_team_id/template/generate/:victim_project_id\u003c/code\u003e, replacing \u003ccode\u003e:victim_team_id\u003c/code\u003e and \u003ccode\u003e:victim_project_id\u003c/code\u003e with the identified values.\u003c/li\u003e\n\u003cli\u003eThe Chartbrew server receives the request and calls the \u003ccode\u003echeckAccess\u003c/code\u003e function, but does not await the promise.\u003c/li\u003e\n\u003cli\u003eDue to the missing validation of the \u003ccode\u003eproject_id\u003c/code\u003e against the \u003ccode\u003eteam_id\u003c/code\u003e and the caller\u0026rsquo;s team, the authorization check is bypassed.\u003c/li\u003e\n\u003cli\u003eThe server retrieves the template model data associated with the victim\u0026rsquo;s project.\u003c/li\u003e\n\u003cli\u003eThe server returns the victim\u0026rsquo;s project data to the attacker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to gain unauthorized access to sensitive project data belonging to other teams within the Chartbrew application. This could include confidential database connection strings, API keys, data schemas, and other information that could be used to further compromise the victim\u0026rsquo;s systems or data. The number of affected organizations depends on the adoption rate of Chartbrew instances prior to version 4.9.0.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Chartbrew to version 4.9.0 or later to patch CVE-2026-32252.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Chartbrew Template Generation Request\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual requests to the \u003ccode\u003e/team/*/template/generate/*\u003c/code\u003e endpoint using a WAF or similar tool.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T20:16:21Z","date_published":"2026-04-10T20:16:21Z","id":"/briefs/2024-01-03-chartbrew-auth-bypass/","summary":"Chartbrew versions prior to 4.9.0 are vulnerable to a cross-tenant authorization bypass, allowing an authenticated attacker to access project data belonging to other teams.","title":"Chartbrew Cross-Tenant Authorization Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-03-chartbrew-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Chartbrew","version":"https://jsonfeed.org/version/1.1"}