← back
CVE-2026-35514

Unauthenticated Account Registration via /user/invited Bypasses All Signup Restrictions in Chartbrew

CVSS 6.5 MEDIUMEPSS 0.2%CWE-306
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.5EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
30 Apr 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoint directly to create a fully active account and receive a valid JWT — even when the instance has existing users and signupRestricted is enabled. This bypass is distinct from the normal registration endpoint (POST /user) which enforces signupRestricted and sets active: false pending verification. This issue has been patched in version 5.0.0.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected products
chartbrew · chartbrew

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →