CVE-2026-35514
Unauthenticated Account Creation in Chartbrew
Publication date: 2026-04-30
Last updated on: 2026-04-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chartbrew | chartbrew | to 4.9.0 (inc) |
| chartbrew | chartbrew | 5.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35514 is a vulnerability in Chartbrew versions up to 4.9.0 where the POST /user/invited endpoint does not validate invite tokens, authentication headers, or sessions.
This allows any unauthenticated attacker to create a fully active user account and receive a valid JWT token without any restrictions, bypassing the normal signup process that enforces signup restrictions and requires email verification.
The flaw exists because the /user/invited endpoint creates active users without proper authentication checks, unlike the protected /user endpoint.
How can this vulnerability impact me? :
This vulnerability allows unauthorized attackers to create fully active accounts and gain immediate access to authenticated features of Chartbrew.
- Attackers can bypass signup restrictions even when signupRestricted is enabled.
- Attackers receive valid JWT tokens, enabling full API access.
- Attackers can interact with restricted resources and potentially compromise data confidentiality and integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized POST requests to the `/user/invited` endpoint. Specifically, look for POST requests that create new user accounts without proper authentication or invite token validation.
A practical detection method is to capture and analyze HTTP traffic to identify any POST requests to `/user/invited` that result in a 200 response containing a JWT token and user details, especially from unauthenticated sources.
Example commands to detect such activity could include using network traffic analysis tools like `tcpdump` or `Wireshark` to filter HTTP POST requests to `/user/invited`.
- Using tcpdump to capture HTTP POST requests to `/user/invited` on port 80 or 443: `tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep -i POST | grep '/user/invited'`
- Using curl to test the endpoint manually: `curl -X POST https://your-chartbrew-instance/user/invited -d '{"email":"[email protected]","password":"password"}' -H 'Content-Type: application/json' -v` and observe if a JWT token is returned without authentication.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Chartbrew to version 5.0.0 or later, where this vulnerability has been patched.
Until the upgrade can be performed, restrict access to the `/user/invited` endpoint by implementing network-level controls such as firewall rules or web application firewall (WAF) rules to block unauthenticated requests.
Additionally, monitor logs for any suspicious POST requests to `/user/invited` and revoke any unauthorized accounts created via this endpoint.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to create fully active accounts and gain immediate access to authenticated features without proper verification or authentication.
This unauthorized access could lead to potential confidentiality and integrity impacts on data handled by the application.
Such unauthorized access and potential data exposure may negatively affect compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.