平台
nodejs
组件
chartbrew
修复版本
4.8.5
CVE-2026-27603 is a vulnerability affecting Chartbrew, an open-source web application for creating charts from databases and APIs. This issue allows unauthenticated users to access chart data from any team or project due to missing authentication middleware in the chart filter endpoint. Versions of Chartbrew prior to 4.8.4 are affected, and a patch is available in version 4.8.4.
The primary impact of CVE-2026-27603 is the unauthorized exposure of sensitive data stored within Chartbrew charts. An attacker can bypass authentication and directly query the chart filter endpoint to retrieve data from any project, regardless of their intended access level. This could include confidential business metrics, financial data, or personally identifiable information (PII) depending on the data sources connected to the charts. The lack of authentication checks means that a simple HTTP request can trigger the data leak, making exploitation straightforward. This vulnerability presents a significant risk of data breaches and potential regulatory compliance violations.
This vulnerability was publicly disclosed on 2026-03-06. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation suggests it could be quickly developed. It is not currently listed on CISA KEV. The lack of authentication makes this a high-priority vulnerability to address.
Organizations using Chartbrew to visualize data from sensitive sources, particularly those with shared hosting environments or legacy configurations lacking robust access controls, are at significant risk. Teams relying on Chartbrew for internal reporting and dashboards containing confidential information are also vulnerable.
• nodejs / server:
# Check for Chartbrew versions prior to 4.8.4
npm list chartbrew• generic web:
# Check for access to the filter endpoint without authentication
curl -I http://your-chartbrew-instance/project/123/chart/456/filter• generic web:
# Examine access logs for requests to the filter endpoint from unusual IP addresses or without authentication headers.
grep '/project/[0-9]+/chart/[0-9]+/filter' /var/log/nginx/access.logdisclosure
漏洞利用状态
EPSS
0.06% (20% 百分位)
CISA SSVC
The primary mitigation for CVE-2026-27603 is to immediately upgrade Chartbrew to version 4.8.4 or later. If upgrading is not immediately feasible, consider implementing a temporary workaround by adding authentication middleware to the /project/:projectid/chart/:chartid/filter endpoint. This could involve a simple token verification or role-based access control check. Review all chart filter configurations to ensure no unintended data exposure. Monitor access logs for suspicious activity targeting the filter endpoint.
将 Chartbrew 更新到 4.8.4 或更高版本。此版本修复了 /project/:project_id/chart/:chart_id/filter 端点中 token 和权限验证缺失的问题,从而避免了对图表数据的未经授权访问。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-27603 is a vulnerability in Chartbrew versions prior to 4.8.4 that allows unauthenticated users to access chart data from any project due to missing authentication middleware.
You are affected if you are using Chartbrew version 4.8.4 or earlier. Check your installation version and upgrade immediately if necessary.
Upgrade Chartbrew to version 4.8.4 or later. If upgrading is not possible, implement authentication middleware for the chart filter endpoint as a temporary workaround.
While no active exploitation has been confirmed, the ease of exploitation suggests it could be quickly exploited. Monitor your systems and apply the patch promptly.
Refer to the Chartbrew project's official repository and release notes for the advisory and patch details: [https://github.com/chartbrew/chartbrew](https://github.com/chartbrew/chartbrew)