Platform
nodejs
Component
chartbrew
Fixed in
4.9.1
CVE-2026-32252 describes a cross-tenant authorization bypass vulnerability in Chartbrew, an open-source web application for creating charts from databases and APIs. This flaw allows an authenticated attacker to access project templates belonging to other teams, potentially leading to data exposure and unauthorized access. The vulnerability affects versions 0.0.0 up to, but not including, 4.9.0. A fix is available in version 4.9.0.
The core of this vulnerability lies in the /team/:teamid/template/generate/:projectid endpoint. Chartbrew fails to properly verify that the project_id provided by the attacker belongs to the team the attacker is authenticated within. This oversight allows an attacker, possessing valid template-generation permissions within their own team, to craft requests targeting project templates from other teams. Successful exploitation could expose sensitive data stored within those project templates, including database connection strings, API keys, and potentially the underlying data itself. The blast radius extends to all teams within a Chartbrew instance, as any authenticated user with template generation privileges could potentially exploit this flaw.
CVE-2026-32252 was publicly disclosed on 2026-04-10. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept (PoC) exploits. The vulnerability has not been added to the CISA KEV catalog at the time of this writing. Given the relatively recent disclosure and the lack of public exploits, the probability of exploitation is currently considered low to medium.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32252 is to immediately upgrade Chartbrew to version 4.9.0 or later. If upgrading is not immediately feasible, consider implementing a temporary workaround by restricting access to the /team/:teamid/template/generate/:projectid endpoint to only authorized users within the same team. This can be achieved through stricter access control lists (ACLs) or role-based access control (RBAC) mechanisms within your application infrastructure. Review and audit existing template generation permissions to ensure they are appropriately scoped and limited. There are no specific WAF rules or Sigma/YARA patterns readily available for this vulnerability due to its authorization bypass nature; focus on access control hardening.
Update to version 4.9.0 or later to fix the cross-tenant authorization bypass vulnerability. This update implements proper verification to ensure that accessed projects belong to the requester's team, preventing the exposure of data from other teams.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32252 is a cross-tenant authorization bypass vulnerability in Chartbrew versions 0.0.0 through 4.8.9, allowing attackers to access project templates from other teams.
You are affected if you are running Chartbrew versions 0.0.0 through 4.8.9 and have not yet upgraded to version 4.9.0 or later.
Upgrade Chartbrew to version 4.9.0 or later. As a temporary workaround, restrict access to the /team/:teamid/template/generate/:projectid endpoint.
There is currently no indication of active exploitation in the wild or publicly available proof-of-concept exploits.
Refer to the Chartbrew project's official website and security advisories for the latest information and updates regarding CVE-2026-32252.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.