Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew expos…

Chartbrew version 4.9.0 contains an authorization bypass vulnerability that allows authenticated attackers with access to one project within a team to perform unauthorized operations on datasets and data requests belonging to other projects in the same team. The vulnerability stems from improper authorization at the team level instead of project-specific binding. Attackers can read, execute, create, update, and delete datasets across projects, leading to cross-project data disclosure and unauthorized database/API access. The issue affects multiple dataset and dataRequest endpoints and is exploitable remotely with standard project-level credentials. A patch is available in version 5.0.0.