CVE-2026-32252

Name of the Vulnerable Software and Affected Versions Chartbrew versions prior to 4.9.0

Description Chartbrew is a web application that connects to databases and APIs to create charts. A cross-tenant authorization bypass exists in the GET /team/:team id/template/generate/:project id endpoint. The handler calls checkAccess(req, "updateAny", "chart") without awaiting the promise, and it does not verify that the supplied project id belongs to the requesting team. This allows an authenticated attacker with template-generation permissions in their own team to request template data for a project belonging to another team and receive victim project data.

Recommendations Update to version 4.9.0 or later.