CVE-2026-30232
Published: 10 April 2026
Summary
CVE-2026-30232 is a critical-severity SSRF (CWE-918) vulnerability in Depomo Chartbrew. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked at the 10.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the SSRF vulnerability by patching Chartbrew to version 4.8.5, which adds IP address validation for user-supplied URLs.
Requires validation of authenticated user inputs for API data connection URLs to block arbitrary fetches to internal networks or cloud metadata endpoints.
Monitors and controls outbound communications at system boundaries to block or detect SSRF attempts targeting internal services or metadata endpoints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF directly enables internal network probing (T1046) and queries to cloud metadata endpoints (T1522/T1552.005) for discovery and credential access.
NVD Description
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these…
more
URLs using request-promise without any IP address validation, enabling Server-Side Request Forgery attacks against internal networks and cloud metadata endpoints. This vulnerability is fixed in 4.8.5.
Deeper analysisAI
CVE-2026-30232 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting Chartbrew, an open-source web application that connects directly to databases and APIs to create charts. In versions prior to 4.8.5, Chartbrew allows authenticated users to create API data connections using arbitrary URLs, which the server fetches via the request-promise library without any IP address validation.
An attacker with low-privilege authenticated access to a Chartbrew instance can exploit this vulnerability remotely with low complexity and no user interaction required. By supplying a malicious URL, the attacker can force the server to make unauthorized requests to internal networks or cloud metadata endpoints, potentially compromising sensitive data. The CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) reflects the high confidentiality and integrity impacts with a changed scope.
The vulnerability is addressed in Chartbrew 4.8.5. Mitigation details are available in the GitHub security advisory at https://github.com/chartbrew/chartbrew/security/advisories/GHSA-p4rg-967r-w4cv and the fixing commit at https://github.com/chartbrew/chartbrew/commit/9c4a7e2b02acb25f0782bd4ac1f16407d59c2df1.
Details
- CWE(s)