Platform
nodejs
Component
chartbrew
Fixed in
4.8.6
CVE-2026-30232 describes a Server-Side Request Forgery (SSRF) vulnerability affecting Chartbrew, an open-source web application for creating charts from database and API data. This flaw allows authenticated users to create API data connections using arbitrary URLs, enabling attackers to make requests to internal resources. The vulnerability impacts versions 0.0.0 through 4.8.4 and is resolved in version 4.8.5.
The SSRF vulnerability in Chartbrew allows authenticated users to bypass security controls and initiate requests to unintended destinations. An attacker could leverage this to access sensitive internal services, such as databases or configuration management systems, by crafting malicious API data connection URLs. Furthermore, the ability to target cloud metadata endpoints (e.g., AWS EC2 instance metadata) could expose credentials or other sensitive information. The blast radius extends to any internal resources accessible from the Chartbrew server, potentially compromising the entire network if proper network segmentation is not in place.
CVE-2026-30232 was publicly disclosed on 2026-04-10. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is currently pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
The primary mitigation for CVE-2026-30232 is to immediately upgrade Chartbrew to version 4.8.5 or later. If upgrading is not feasible due to compatibility issues or downtime constraints, consider implementing a Web Application Firewall (WAF) with rules to block requests to suspicious URLs or restrict access to internal IP ranges. Additionally, carefully review and restrict the permissions of authenticated users within Chartbrew to minimize the potential impact of a successful SSRF attack. After upgrading, confirm the fix by attempting to create an API data connection with an internal or cloud metadata URL and verifying that the request is blocked.
Update to version 4.8.5 or later to mitigate the Server-Side Request Forgery (SSRF) vulnerability. This version implements IP address validation for user-provided URLs in API data connections, thus preventing unauthorized access to internal resources.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-30232 is a Server-Side Request Forgery (SSRF) vulnerability in Chartbrew versions 0.0.0 through 4.8.4, allowing attackers to make requests to internal resources.
If you are running Chartbrew versions 0.0.0 through 4.8.4, you are potentially affected by this SSRF vulnerability.
Upgrade Chartbrew to version 4.8.5 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround if upgrading is not immediately possible.
There are currently no confirmed reports of active exploitation of CVE-2026-30232, but the vulnerability is publicly known.
Refer to the Chartbrew project's official release notes and security advisories for the most up-to-date information: [https://github.com/chartbrew/chartbrew](https://github.com/chartbrew/chartbrew)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.