Chartbrew Unauthenticated Data Access Vulnerability in Chart Refresh Endpoint
Vulnerability
A vulnerability in Chartbrew version 4.9.0 allows unauthenticated access to private chart data through the POST /api/chart/:chart_id/query endpoint. The endpoint only verifies team-level permissions for report refreshing, without checking if the chart is part of a public report or if the project allows such operations. As a result, an attacker who knows a chart ID can force a data refresh and access sensitive information from private charts. This issue has been addressed in version 5.0.0.
Impact
Exploitation of this vulnerability allows unauthorized users to access and retrieve data from private charts, bypassing project sharing policies and exposing information that should be restricted to authenticated members.
Reproduction
To reproduce this vulnerability, send a POST request to the /api/chart/:chart_id/query endpoint without authentication. Include the chart ID of a private chart that belongs to a project with the 'allowReportRefresh' team permission enabled. The response will include the private chart data, demonstrating unauthorized access.
Remediation
Users can update to Chartbrew version 5.0.0, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.