CVE-2026-35514
Received Received - Intake
Unauthenticated Account Creation in Chartbrew

Publication date: 2026-04-30

Last updated on: 2026-04-30

Assigner: GitHub, Inc.

Description
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoint directly to create a fully active account and receive a valid JWT β€” even when the instance has existing users and signupRestricted is enabled. This bypass is distinct from the normal registration endpoint (POST /user) which enforces signupRestricted and sets active: false pending verification. This issue has been patched in version 5.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-14
NVD
CVE-2026-35514
EUVD
EUVD-2026-26405
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
chartbrew chartbrew to 4.9.0 (inc)
chartbrew chartbrew 5.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-35514 is a vulnerability in Chartbrew versions up to 4.9.0 where the POST /user/invited endpoint does not validate invite tokens, authentication headers, or sessions.

This allows any unauthenticated attacker to create a fully active user account and receive a valid JWT token without any restrictions, bypassing the normal signup process that enforces signup restrictions and requires email verification.

The flaw exists because the /user/invited endpoint creates active users without proper authentication checks, unlike the protected /user endpoint.

Impact Analysis

This vulnerability allows unauthorized attackers to create fully active accounts and gain immediate access to authenticated features of Chartbrew.

  • Attackers can bypass signup restrictions even when signupRestricted is enabled.
  • Attackers receive valid JWT tokens, enabling full API access.
  • Attackers can interact with restricted resources and potentially compromise data confidentiality and integrity.
Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the `/user/invited` endpoint. Specifically, look for POST requests that create new user accounts without proper authentication or invite token validation.

A practical detection method is to capture and analyze HTTP traffic to identify any POST requests to `/user/invited` that result in a 200 response containing a JWT token and user details, especially from unauthenticated sources.

Example commands to detect such activity could include using network traffic analysis tools like `tcpdump` or `Wireshark` to filter HTTP POST requests to `/user/invited`.

  • Using tcpdump to capture HTTP POST requests to `/user/invited` on port 80 or 443: `tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep -i POST | grep '/user/invited'`
  • Using curl to test the endpoint manually: `curl -X POST https://your-chartbrew-instance/user/invited -d '{"email":"[email protected]","password":"password"}' -H 'Content-Type: application/json' -v` and observe if a JWT token is returned without authentication.
Mitigation Strategies

The immediate mitigation step is to upgrade Chartbrew to version 5.0.0 or later, where this vulnerability has been patched.

Until the upgrade can be performed, restrict access to the `/user/invited` endpoint by implementing network-level controls such as firewall rules or web application firewall (WAF) rules to block unauthenticated requests.

Additionally, monitor logs for any suspicious POST requests to `/user/invited` and revoke any unauthorized accounts created via this endpoint.

Compliance Impact

The vulnerability allows unauthenticated attackers to create fully active accounts and gain immediate access to authenticated features without proper verification or authentication.

This unauthorized access could lead to potential confidentiality and integrity impacts on data handled by the application.

Such unauthorized access and potential data exposure may negatively affect compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35514. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart