Security Flaw Exposes Database Credentials Through Unprotected Chart Export API

A broken access control vulnerability in the chart export endpoint allows low-privilege users to retrieve chart configurations—including embedded database credentials—belonging to other users. The flaw affects `GET /api/v1/chart/export/`, which accepts a list of chart IDs via the `q` parameter. While the endpoint validates that the requesting user holds the global `can_export` permission, it fails to verify whether the user has read access to each individual chart requested. This enables unauthorized access through simple ID enumeration.

Technical analysis reveals that an attacker with a basic viewer account can export charts owned by administrators by submitting a request such as `GET /api/v1/chart/export/?q=(ids:!(1,2,3,100,200))`. The response includes full chart configurations containing database references, even when those charts belong to users with elevated privileges. The vulnerability stems from relying on a single global permission check rather than performing per-object authorization within the export handler. The expected remediation involves adding ownership or permission verification for each chart ID and returning 403 Forbidden for any chart the requesting user cannot access.

The exposure carries significant risk if chart configurations contain database connection strings or other sensitive credentials. An attacker who successfully enumerates chart IDs could gain access to backend data sources, potentially compromising systems beyond the application itself. Organizations relying on this platform's access control model to isolate sensitive data face heightened risk. Security teams should audit chart configurations for embedded credentials, restrict the `can_export` permission to trusted users, and monitor for anomalous export activity involving large numbers of chart IDs.