HIGHCVE-2026-30232Published 2026-04-10Modified 2026-04-15CNA GitHub_M

CVE-2026-30232: Chartbrew has SSRF in API Data Connection - No IP Validation on User-Provided URLs

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using request-promise without any IP address validation, enabling Server-Side Request Forgery attacks against internal networks and cloud metadata endpoints. This vulnerability is fixed in 4.8.5.

CVSS v4.0: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

chartbrew / chartbrew
< 4.8.5

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

References

https://github.com/chartbrew/chartbrew/security/advisories/GHSA-p4rg-967r-w4cv
https://github.com/chartbrew/chartbrew/commit/9c4a7e2b02acb25f0782bd4ac1f16407d59c2df1

Metrics