Cyber Resilience

CVE-2026-30232

High

Published: 10 April 2026

Published
10 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v4 7.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 15.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-30232 is a high-severity SSRF (CWE-918) vulnerability in Depomo Chartbrew. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-30232 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting Chartbrew, an open-source web application that connects directly to databases and APIs to create charts. In versions prior to 4.8.5, Chartbrew allows authenticated users to create API data connections using arbitrary URLs, which the server fetches via the request-promise library without any IP address validation.

An attacker with low-privilege authenticated access to a Chartbrew instance can exploit this vulnerability remotely with low complexity and no user interaction required. By supplying a malicious URL, the attacker can force the server to make unauthorized requests to internal networks or cloud metadata endpoints, potentially compromising sensitive data. The CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) reflects the high confidentiality and integrity impacts with a changed scope.

The vulnerability is addressed in Chartbrew 4.8.5. Mitigation details are available in the GitHub security advisory at https://github.com/chartbrew/chartbrew/security/advisories/GHSA-p4rg-967r-w4cv and the fixing commit at https://github.com/chartbrew/chartbrew/commit/9c4a7e2b02acb25f0782bd4ac1f16407d59c2df1.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these…

more

URLs using request-promise without any IP address validation, enabling Server-Side Request Forgery attacks against internal networks and cloud metadata endpoints. This vulnerability is fixed in 4.8.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF directly enables internal network probing (T1046) and queries to cloud metadata endpoints (T1522/T1552.005) for discovery and credential access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25887Same product: Depomo Chartbrew
CVE-2026-32252Same product: Depomo Chartbrew
CVE-2026-27603Same product: Depomo Chartbrew
CVE-2026-25888Same product: Depomo Chartbrew
CVE-2026-27005Same product: Depomo Chartbrew
CVE-2026-25991Shared CWE-918
CVE-2026-42141Shared CWE-918
CVE-2026-38527Shared CWE-918
CVE-2026-31941Shared CWE-918
CVE-2026-34746Shared CWE-918

Affected Assets

depomo
chartbrew
≤ 4.8.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the SSRF vulnerability by patching Chartbrew to version 4.8.5, which adds IP address validation for user-supplied URLs.

prevent

Requires validation of authenticated user inputs for API data connection URLs to block arbitrary fetches to internal networks or cloud metadata endpoints.

preventdetect

Monitors and controls outbound communications at system boundaries to block or detect SSRF attempts targeting internal services or metadata endpoints.

References