Cross-Tenant Authorization Bypass in Chartbrew Web Application
CVE-2026-32252

7.7HIGH

Key Information:

Vendor: Chartbrew
Status: Chartbrew
Vendor: CVE Published:; 10 April 2026

What is CVE-2026-32252?

Chartbrew, an open-source web application for creating charts from data, has a cross-tenant authorization bypass vulnerability. This occurs in the GET request handling for generating templates, where the application fails to properly enforce access controls. The function checkAccess(req, 'updateAny', 'chart') is called without waiting for its results, allowing a user with valid permissions from one team to gain unauthorized access to project data from another team. This can lead to sensitive data exposure, making it crucial for users to upgrade to version 4.9.0 to mitigate this risk.

Affected Version(s)

chartbrew < 4.9.0

References

https://github.com/chartbrew/chartbrew/security/advisorie...

x_refsource_CONFIRM

https://github.com/chartbrew/chartbrew/commit/bf5919043d3...

x_refsource_MISC

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Mar 11, 2026

CVE-2026-32252 Data

JSON