{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32252", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T14:47:05.686Z", "datePublished": "2026-04-10T19:17:53.438Z", "dateUpdated": "2026-04-13T15:35:52.178Z"}, "containers": {"cna": {"title": "Chartbrew Cross-Tenant Template Export and Secret Disclosure in `GET /team/:team_id/template/generate/:project_id`", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/chartbrew/chartbrew/security/advisories/GHSA-mw4f-cf22-qpcj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chartbrew/chartbrew/security/advisories/GHSA-mw4f-cf22-qpcj"}, {"name": "https://github.com/chartbrew/chartbrew/commit/bf5919043d3587fcbe76123aaabd9a0a9d1033f1", "tags": ["x_refsource_MISC"], "url": "https://github.com/chartbrew/chartbrew/commit/bf5919043d3587fcbe76123aaabd9a0a9d1033f1"}], "affected": [{"vendor": "chartbrew", "product": "chartbrew", "versions": [{"version": "< 4.9.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T19:17:53.438Z"}, "descriptions": [{"lang": "en", "value": "Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:team_id/template/generate/:project_id. The GET handler calls checkAccess(req, \"updateAny\", \"chart\") without awaiting the returned promise, and it does not verify that the supplied project_id belongs to req.params.team_id or to the caller's team. As a result, an authenticated attacker with valid template-generation permissions in their own team can request the template model for a project belonging to another team and receive victim project data. This vulnerability is fixed in 4.9.0."}], "source": {"advisory": "GHSA-mw4f-cf22-qpcj", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/chartbrew/chartbrew/security/advisories/GHSA-mw4f-cf22-qpcj", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T15:28:26.260386Z", "id": "CVE-2026-32252", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:35:52.178Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32252", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T15:28:26.260386Z"}}}], "references": [{"url": "https://github.com/chartbrew/chartbrew/security/advisories/GHSA-mw4f-cf22-qpcj", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:23:40.288Z"}}], "cna": {"title": "Chartbrew Cross-Tenant Template Export and Secret Disclosure in `GET /team/:team_id/template/generate/:project_id`", "source": {"advisory": "GHSA-mw4f-cf22-qpcj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "chartbrew", "product": "chartbrew", "versions": [{"status": "affected", "version": "< 4.9.0"}]}], "references": [{"url": "https://github.com/chartbrew/chartbrew/security/advisories/GHSA-mw4f-cf22-qpcj", "name": "https://github.com/chartbrew/chartbrew/security/advisories/GHSA-mw4f-cf22-qpcj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/chartbrew/chartbrew/commit/bf5919043d3587fcbe76123aaabd9a0a9d1033f1", "name": "https://github.com/chartbrew/chartbrew/commit/bf5919043d3587fcbe76123aaabd9a0a9d1033f1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:team_id/template/generate/:project_id. The GET handler calls checkAccess(req, \"updateAny\", \"chart\") without awaiting the returned promise, and it does not verify that the supplied project_id belongs to req.params.team_id or to the caller's team. As a result, an authenticated attacker with valid template-generation permissions in their own team can request the template model for a project belonging to another team and receive victim project data. This vulnerability is fixed in 4.9.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T19:17:53.438Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32252", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:35:52.178Z", "dateReserved": "2026-03-11T14:47:05.686Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-10T19:17:53.438Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:depomo:chartbrew:*:*:*:*:*:*:*:*", "matchCriteriaId": "F1B79ADD-1022-438B-B011-661FBC9E6C0A", "versionEndExcluding": "4.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:team_id/template/generate/:project_id. The GET handler calls checkAccess(req, \"updateAny\", \"chart\") without awaiting the returned promise, and it does not verify that the supplied project_id belongs to req.params.team_id or to the caller's team. As a result, an authenticated attacker with valid template-generation permissions in their own team can request the template model for a project belonging to another team and receive victim project data. This vulnerability is fixed in 4.9.0."}], "id": "CVE-2026-32252", "lastModified": "2026-04-14T17:25:25.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-10T20:16:21.793", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/chartbrew/chartbrew/commit/bf5919043d3587fcbe76123aaabd9a0a9d1033f1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/chartbrew/chartbrew/security/advisories/GHSA-mw4f-cf22-qpcj"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/chartbrew/chartbrew/security/advisories/GHSA-mw4f-cf22-qpcj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.9.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "chartbrew", "source": "cna", "vendor": "chartbrew"}, "product": "chartbrew", "vendor": "chartbrew"}], "analysis": {"en": {"generated_at": "2026-04-14T21:26:06.433115+00:00", "value": {"mitigation_remediation": ["Upgrade Chartbrew to version\u00a04.9.0 or later.", "If a patch is not yet available, restrict access to the GET /team/:team_id/template/generate/:project_id endpoint so that only users who own or are explicitly authorized for the target project can access it.", "Revoke the 'updateAny' permission from users who do not require broad template\u2011generation capabilities.", "Verify that the checkAccess promise is awaited and that supplied project IDs are validated against the requesting team in the source code."], "summary": {"action": "Immediate Patch", "impact": "Data Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of the open\u2011source Chartbrew application prior to version\u00a04.9.0. Any deployment running 4.8.x or earlier is vulnerable whenever a user has the ability to generate templates in their own tenant, regardless of the team the target project belongs to.", "description_and_impact": "Chartbrew contains a cross\u2011tenant authorization bypass in the GET /team/:team_id/template/generate/:project_id endpoint. An authenticated attacker with the template\u2011generation permission in their own team can request the template for a project that belongs to another team and obtain the full template model, which may include database credentials or other secrets. This flaw is an example of Improper Authorization (CWE\u2011285).", "risk_and_exploitability": "The CVSS score of 7.7 reflects high severity due to the potential exposure of confidential data. The EPSS score is below\u00a01\u202f%, indicating that automated exploitation is currently unlikely, and the flaw is not listed in the CISA KEV catalog. Based on the description, we infer that the attacker can trigger the vulnerability by sending an HTTP GET request to the vulnerable endpoint while authenticated; the attack requires no elevated privileges or network access beyond normal user rights. Successfully exploiting the bug allows the attacker to read sensitive project data from another tenant."}}}}, "created": "2026-04-13T12:42:48.291389+00:00", "updated": "2026-04-15T16:00:07.790849+00:00", "vendors": ["chartbrew", "chartbrew$PRODUCT$chartbrew"]}