Attack Chain

1. Attacker authenticates to a Chartbrew instance with valid credentials and template generation permissions within their own team.
2. Attacker identifies a valid team_id belonging to a victim team. This could be done through enumeration of team IDs, social engineering, or other means.
3. Attacker identifies a valid project_id belonging to the victim team. This may require some level of prior knowledge or reconnaissance.
4. Attacker crafts a GET request to /team/:victim_team_id/template/generate/:victim_project_id, replacing :victim_team_id and :victim_project_id with the identified values.
5. The Chartbrew server receives the request and calls the checkAccess function, but does not await the promise.
6. Due to the missing validation of the project_id against the team_id and the caller’s team, the authorization check is bypassed.
7. The server retrieves the template model data associated with the victim’s project.
8. The server returns the victim’s project data to the attacker.

Impact

Successful exploitation of this vulnerability allows an attacker to gain unauthorized access to sensitive project data belonging to other teams within the Chartbrew application. This could include confidential database connection strings, API keys, data schemas, and other information that could be used to further compromise the victim’s systems or data. The number of affected organizations depends on the adoption rate of Chartbrew instances prior to version 4.9.0.

Recommendation

• Upgrade Chartbrew to version 4.9.0 or later to patch CVE-2026-32252.
• Implement the Sigma rule Detect Chartbrew Template Generation Request to identify potential exploitation attempts in web server logs.
• Monitor web server logs for unusual requests to the /team/*/template/generate/* endpoint using a WAF or similar tool.