Chartbrew Cross-Tenant Authorization Bypass Vulnerability in Template Generation Endpoint

A cross-tenant authorization bypass vulnerability has been identified in Chartbrew versions prior to 4.9.0. The issue resides in the GET /team/:team_id/template/generate/:project_id endpoint. The vulnerability allows an authenticated attacker with template-generation permissions to access project data from another team. This occurs because the endpoint does not properly validate project ownership or await access verification, leading to unauthorized data exposure.

Impact

Exploitation of this vulnerability breaks tenant isolation, allowing attackers to access sensitive project data from other teams. This includes chart names, variables, dataset and data request structures, and decrypted connection details such as hosts and request headers. In live tests, this endpoint returned a 200 OK status while leaking critical information, including API credentials and other operational secrets.

Reproduction

To reproduce this vulnerability, create two users in Chartbrew: one for the attacker and one for the victim. The attacker must have valid template-generation permissions. After setting up a project in the victim's account, use the attacker's bearer token to send a request to the vulnerable endpoint, targeting a project from the victim's team. The response will include the leaked victim data.

Remediation

Users can update to Chartbrew version 4.9.0 or later, where this vulnerability has been fixed.