Platform
nodejs
Component
chartbrew
Opgelost in
4.8.5
CVE-2026-27603 is a vulnerability affecting Chartbrew, an open-source web application for creating charts from databases and APIs. This issue allows unauthenticated users to access chart data from any team or project due to missing authentication middleware in the chart filter endpoint. Versions of Chartbrew prior to 4.8.4 are affected, and a patch is available in version 4.8.4.
The primary impact of CVE-2026-27603 is the unauthorized exposure of sensitive data stored within Chartbrew charts. An attacker can bypass authentication and directly query the chart filter endpoint to retrieve data from any project, regardless of their intended access level. This could include confidential business metrics, financial data, or personally identifiable information (PII) depending on the data sources connected to the charts. The lack of authentication checks means that a simple HTTP request can trigger the data leak, making exploitation straightforward. This vulnerability presents a significant risk of data breaches and potential regulatory compliance violations.
This vulnerability was publicly disclosed on 2026-03-06. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation suggests it could be quickly developed. It is not currently listed on CISA KEV. The lack of authentication makes this a high-priority vulnerability to address.
Organizations using Chartbrew to visualize data from sensitive sources, particularly those with shared hosting environments or legacy configurations lacking robust access controls, are at significant risk. Teams relying on Chartbrew for internal reporting and dashboards containing confidential information are also vulnerable.
• nodejs / server:
# Check for Chartbrew versions prior to 4.8.4
npm list chartbrew• generic web:
# Check for access to the filter endpoint without authentication
curl -I http://your-chartbrew-instance/project/123/chart/456/filter• generic web:
# Examine access logs for requests to the filter endpoint from unusual IP addresses or without authentication headers.
grep '/project/[0-9]+/chart/[0-9]+/filter' /var/log/nginx/access.logdisclosure
Exploit Status
EPSS
0.06% (20% percentiel)
CISA SSVC
The primary mitigation for CVE-2026-27603 is to immediately upgrade Chartbrew to version 4.8.4 or later. If upgrading is not immediately feasible, consider implementing a temporary workaround by adding authentication middleware to the /project/:projectid/chart/:chartid/filter endpoint. This could involve a simple token verification or role-based access control check. Review all chart filter configurations to ensure no unintended data exposure. Monitor access logs for suspicious activity targeting the filter endpoint.
Werk Chartbrew bij naar versie 4.8.4 of hoger. Deze versie corrigeert het ontbreken van token- en permissieverificatie in de endpoint /project/:project_id/chart/:chart_id/filter, waardoor ongeautoriseerde toegang tot grafiekdata wordt voorkomen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-27603 is a vulnerability in Chartbrew versions prior to 4.8.4 that allows unauthenticated users to access chart data from any project due to missing authentication middleware.
You are affected if you are using Chartbrew version 4.8.4 or earlier. Check your installation version and upgrade immediately if necessary.
Upgrade Chartbrew to version 4.8.4 or later. If upgrading is not possible, implement authentication middleware for the chart filter endpoint as a temporary workaround.
While no active exploitation has been confirmed, the ease of exploitation suggests it could be quickly exploited. Monitor your systems and apply the patch promptly.
Refer to the Chartbrew project's official repository and release notes for the advisory and patch details: [https://github.com/chartbrew/chartbrew](https://github.com/chartbrew/chartbrew)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.