CVE-2026-32252
Published: 10 April 2026
Summary
CVE-2026-32252 is a high-severity Improper Authorization (CWE-285) vulnerability in Depomo Chartbrew. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires enforcement of approved authorizations for access to system resources, directly mitigating the improper authorization check and missing project-team ownership verification in the cross-tenant endpoint.
Mandates validation of information inputs like project_id against team_id context, preventing exploitation via mismatched parameters in multi-tenant requests.
Enforces least privilege to scope permissions like template-generation to the user's own team, limiting the impact of flawed authorization enforcement across tenants.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remotely exploitable authorization bypass in a public-facing web app endpoint (GET /team/:team_id/template/generate/:project_id) that enables cross-tenant data access; this directly maps to exploitation of a public-facing application.
NVD Description
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:team_id/template/generate/:project_id. The GET handler calls checkAccess(req, "updateAny",…
more
"chart") without awaiting the returned promise, and it does not verify that the supplied project_id belongs to req.params.team_id or to the caller's team. As a result, an authenticated attacker with valid template-generation permissions in their own team can request the template model for a project belonging to another team and receive victim project data. This vulnerability is fixed in 4.9.0.
Deeper analysisAI
CVE-2026-32252 is a cross-tenant authorization bypass vulnerability in Chartbrew, an open-source web application for connecting to databases and APIs to generate charts from data. Affecting versions prior to 4.9.0, the issue resides in the GET /team/:team_id/template/generate/:project_id endpoint. The handler invokes checkAccess(req, "updateAny", "chart") without awaiting the promise and fails to validate that the supplied project_id belongs to the specified team_id or the caller's team, enabling unauthorized access to project data across tenants. The vulnerability carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) and is associated with CWE-285 (Improper Authorization).
An authenticated attacker with template-generation permissions in their own team can exploit this vulnerability remotely over the network with low complexity and no user interaction. By crafting a request with a victim team's project_id, the attacker bypasses authorization checks due to the una waited promise and missing ownership verification, gaining access to the template model and sensitive project data from another team. This results in high-impact confidentiality violations in a changed scope, potentially exposing proprietary data visualizations or underlying database/API insights.
The vulnerability is addressed in Chartbrew version 4.9.0, as detailed in the GitHub security advisory GHSA-mw4f-cf22-qpcj and the fixing commit bf5919043d3587fcbe76123aaabd9a0a9d1033f1. Security practitioners should upgrade to 4.9.0 or later and review access controls in multi-tenant endpoints to prevent similar issues.
Details
- CWE(s)