CVE-2026-30232 HIGH

CVE-2026-30232: Chartbrew has SSRF in API Data Connection - No IP Validation on User-Provided URLs

Vendor Chartbrew
Product chartbrew
Weakness CWE-918 · SSRF
Published April 10, 2026
Last update April 15, 2026
View on NVD All CVEs

CVSS base score

7.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

What the vulnerability does

01Description

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using request-promise without any IP address validation, enabling Server-Side Request Forgery attacks against internal networks and cloud metadata endpoints. This vulnerability is fixed in 4.8.5.

Key dates

02Disclosure timeline

April 10, 2026 CVE published
April 15, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-42398 Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access CVE-2025-22346 WordPress Course Migration for LearnDash plugin 1.0.2 - Server Side Request Forgery (SSRF) vulnerability CVE-2024-2090 Remote Content Shortcode <= 1.5 - Authenticated (Contributor+) Server-Side Request Forgery CVE-2022-1722 SSRF in editor's proxy via IPv6 link-local address in jgraph/drawio CVE-2026-45400 Open WebUI: Server-Side Request Forgery (SSRF) bypass in `validate_url`