Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
Chartbrew: Unauthenticated Access to Team/Project Chart Data
CVE-2026-27603
Summary
Before version 4.8.4, Chartbrew didn't properly control access to chart data. This meant that anyone could view chart data from any team or project without needing a login. Update to version 4.8.4 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| depomo | chartbrew | <= 4.8.4 | – |
Original title
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the chart filter endpoint POST /project/:proje...
Original description
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the chart filter endpoint POST /project/:project_id/chart/:chart_id/filter is missing both verifyToken and checkPermissions middleware, allowing unauthenticated users to access chart data from any team/project. This issue has been patched in version 4.8.4.
nvd CVSS4.0
8.7
Vulnerability type
CWE-306
Missing Authentication for Critical Function
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026