Platform
nodejs
Component
chartbrew
Fixed in
4.8.5
CVE-2026-27603 is a vulnerability affecting Chartbrew, an open-source web application for creating charts from databases and APIs. This issue allows unauthenticated users to access chart data from any team or project due to missing authentication middleware in the chart filter endpoint. Versions of Chartbrew prior to 4.8.4 are affected, and a patch is available in version 4.8.4.
The primary impact of CVE-2026-27603 is the unauthorized exposure of sensitive data stored within Chartbrew charts. An attacker can bypass authentication and directly query the chart filter endpoint to retrieve data from any project, regardless of their intended access level. This could include confidential business metrics, financial data, or personally identifiable information (PII) depending on the data sources connected to the charts. The lack of authentication checks means that a simple HTTP request can trigger the data leak, making exploitation straightforward. This vulnerability presents a significant risk of data breaches and potential regulatory compliance violations.
This vulnerability was publicly disclosed on 2026-03-06. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation suggests it could be quickly developed. It is not currently listed on CISA KEV. The lack of authentication makes this a high-priority vulnerability to address.
Exploit Status
EPSS
0.06% (20% percentile)
CISA SSVC
The primary mitigation for CVE-2026-27603 is to immediately upgrade Chartbrew to version 4.8.4 or later. If upgrading is not immediately feasible, consider implementing a temporary workaround by adding authentication middleware to the /project/:projectid/chart/:chartid/filter endpoint. This could involve a simple token verification or role-based access control check. Review all chart filter configurations to ensure no unintended data exposure. Monitor access logs for suspicious activity targeting the filter endpoint.
Update Chartbrew to version 4.8.4 or higher. This version corrects the missing token verification and permissions check in the /project/:project_id/chart/:chart_id/filter endpoint, preventing unauthorized access to chart data.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27603 is a vulnerability in Chartbrew versions prior to 4.8.4 that allows unauthenticated users to access chart data from any project due to missing authentication middleware.
You are affected if you are using Chartbrew version 4.8.4 or earlier. Check your installation version and upgrade immediately if necessary.
Upgrade Chartbrew to version 4.8.4 or later. If upgrading is not possible, implement authentication middleware for the chart filter endpoint as a temporary workaround.
While no active exploitation has been confirmed, the ease of exploitation suggests it could be quickly exploited. Monitor your systems and apply the patch promptly.
Refer to the Chartbrew project's official repository and release notes for the advisory and patch details: [https://github.com/chartbrew/chartbrew](https://github.com/chartbrew/chartbrew)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.