{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27603", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T19:43:14.602Z", "datePublished": "2026-03-06T04:07:49.383Z", "dateUpdated": "2026-03-06T16:08:26.139Z"}, "containers": {"cna": {"title": "Chartbrew: Unauthenticated Chart Filter Endpoint: POST /project/:project_id/chart/:chart_id/filter missing verifyToken + checkPermissions", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/chartbrew/chartbrew/security/advisories/GHSA-9fhr-5vvc-p455", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chartbrew/chartbrew/security/advisories/GHSA-9fhr-5vvc-p455"}, {"name": "https://github.com/chartbrew/chartbrew/releases/tag/v4.8.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/chartbrew/chartbrew/releases/tag/v4.8.4"}], "affected": [{"vendor": "chartbrew", "product": "chartbrew", "versions": [{"version": "< 4.8.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:07:49.383Z"}, "descriptions": [{"lang": "en", "value": "Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the chart filter endpoint POST /project/:project_id/chart/:chart_id/filter is missing both verifyToken and checkPermissions middleware, allowing unauthenticated users to access chart data from any team/project. This issue has been patched in version 4.8.4."}], "source": {"advisory": "GHSA-9fhr-5vvc-p455", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T16:00:23.121932Z", "id": "CVE-2026-27603", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:08:26.139Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27603", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T16:00:23.121932Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:00:24.202Z"}}], "cna": {"title": "Chartbrew: Unauthenticated Chart Filter Endpoint: POST /project/:project_id/chart/:chart_id/filter missing verifyToken + checkPermissions", "source": {"advisory": "GHSA-9fhr-5vvc-p455", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "chartbrew", "product": "chartbrew", "versions": [{"status": "affected", "version": "< 4.8.4"}]}], "references": [{"url": "https://github.com/chartbrew/chartbrew/security/advisories/GHSA-9fhr-5vvc-p455", "name": "https://github.com/chartbrew/chartbrew/security/advisories/GHSA-9fhr-5vvc-p455", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/chartbrew/chartbrew/releases/tag/v4.8.4", "name": "https://github.com/chartbrew/chartbrew/releases/tag/v4.8.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the chart filter endpoint POST /project/:project_id/chart/:chart_id/filter is missing both verifyToken and checkPermissions middleware, allowing unauthenticated users to access chart data from any team/project. This issue has been patched in version 4.8.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:07:49.383Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27603", "state": "PUBLISHED", "dateUpdated": "2026-03-06T16:08:26.139Z", "dateReserved": "2026-02-20T19:43:14.602Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T04:07:49.383Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:depomo:chartbrew:*:*:*:*:*:*:*:*", "matchCriteriaId": "C3C24A0D-9049-4B99-930F-20EE11FFE27F", "versionEndExcluding": "4.8.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the chart filter endpoint POST /project/:project_id/chart/:chart_id/filter is missing both verifyToken and checkPermissions middleware, allowing unauthenticated users to access chart data from any team/project. This issue has been patched in version 4.8.4."}, {"lang": "es", "value": "Chartbrew es una aplicaci\u00f3n web de c\u00f3digo abierto que puede conectarse directamente a bases de datos y API y usar los datos para crear gr\u00e1ficos. Antes de la versi\u00f3n 4.8.4, el endpoint de filtro de gr\u00e1ficos POST /project/:project_id/chart/:chart_id/filter carece de los middleware verifyToken y checkPermissions, permitiendo a usuarios no autenticados acceder a datos de gr\u00e1ficos de cualquier equipo/proyecto. Este problema ha sido parcheado en la versi\u00f3n 4.8.4."}], "id": "CVE-2026-27603", "lastModified": "2026-03-10T14:02:36.263", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T05:16:30.967", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/chartbrew/chartbrew/releases/tag/v4.8.4"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit", "Mitigation"], "url": "https://github.com/chartbrew/chartbrew/security/advisories/GHSA-9fhr-5vvc-p455"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.8.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "chartbrew", "source": "cna", "vendor": "chartbrew"}, "product": "chartbrew", "vendor": "chartbrew"}], "analysis": {"en": {"generated_at": "2026-04-17T12:26:23.957937+00:00", "value": {"mitigation_remediation": ["Upgrade Chartbrew to version 4.8.4 or later where the missing authentication checks are added.", "If an upgrade is not immediately possible, restrict unauthenticated traffic to the /project/:project_id/chart/:chart_id/filter endpoint, for example by configuring a reverse proxy or firewall rule that requires authentication before allowing POST requests to that path.", "Consider disabling the filter functionality entirely or limiting it to users with explicit permissions until the patch can be applied."], "summary": {"action": "Immediate Patch", "impact": "Data Disclosure"}, "threat_synthesis": {"affected_systems": "Any deployment of Chartbrew running a version prior to 4.8.4 is vulnerable. The affected product is Chartbrew, developed by Depomo, which is distributed as an open\u2011source web application. Users must verify the installed version; installations with versions older than 4.8.4 must be considered at risk. No specific operating system or environment constraints are noted; the flaw lies in the application\u2019s routing logic.", "description_and_impact": "Chartbrew, an open\u2011source web application that connects to databases and APIs, contains an authentication bypass in the POST /project/:project_id/chart/:chart_id/filter endpoint. The endpoint lacks verifyToken and checkPermissions middleware, allowing any requester to execute the filter and retrieve chart data without authentication. This flaw is an example of CWE\u2011306, where missing authentication checks permit unauthorized access. Accordingly, an attacker can read chart information from any team or project, potentially revealing sensitive data. The vulnerability is classified as high severity with a CVSS score of 8.7 and is identified as a remote unauthenticated data disclosure.", "risk_and_exploitability": "With a CVSS score of 8.7 the flaw presents a high risk to confidentiality, and the EPSS score of less than 1% indicates that external exploitation is low at present. However, the attack involves a simple unauthenticated HTTP POST request with minimal prerequisites, and the flaw is not mitigated by any additional controls. Because it is not listed in CISA\u2019s KEV catalog, it has not been reported as a known exploited vulnerability yet, but its high severity and lack of authentication underscore the importance of remediation. The attack vector is remote, performed over HTTP/HTTPS by submitting a request to the vulnerable endpoint; the attacker does not need to be authenticated or have any prior access."}}}}, "created": "2026-03-06T14:55:57.172884+00:00", "updated": "2026-04-17T12:30:06.270798+00:00", "vendors": ["chartbrew", "chartbrew$PRODUCT$chartbrew"]}