Skip to main content

Chartbrew CVE-2026-40595

| EUVDEUVD-2026-26407 HIGH
Improper Access Control (CWE-284)
2026-04-30 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Source Code Evidence Fetched
Apr 30, 2026 - 19:15 vuln.today
Analysis Generated
Apr 30, 2026 - 19:15 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 19:00 euvd
EUVD-2026-26407
Analysis Generated
Apr 30, 2026 - 19:00 vuln.today
CVE Published
Apr 30, 2026 - 18:21 nvd
HIGH 7.5

DescriptionGitHub Advisory

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes public chart retrieval and export routes that only verify project-level public access and, for exports, a team-level export toggle. The routes do not verify whether the target chart is actually allowed on the public report or whether the governing SharePolicy permits public access. An unauthenticated attacker who knows a chart identifier in a public project can read or export chart data for charts that were intentionally hidden from the report. This issue has been patched in version 5.0.0.

AnalysisAI

Chartbrew 4.9.0 allows unauthenticated attackers to access hidden chart data via authentication bypass in public chart export routes. Attackers who know a chart identifier in any public project can read or export charts that were intentionally excluded from public reports, bypassing SharePolicy access controls. The vulnerability requires only network access and a valid chart ID, with no authentication or user interaction needed. Patched in version 5.0.0 per vendor advisory GHSA-mq7q-6xh6-5649. No public exploit identified at time of analysis, though exploitation complexity is low (CVSS AC:L).

Technical ContextAI

Chartbrew is an open-source web application for database and API visualization. The vulnerability stems from improper access control (CWE-284) in HTTP routes handling public chart retrieval and export. The affected routes perform project-level public access verification and team-level export toggle checks, but fail to validate chart-level permissions via the SharePolicy mechanism. This creates an Insecure Direct Object Reference (IDOR) vulnerability where chart identifiers can be used to bypass intended access restrictions. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the flaw is exploitable remotely without authentication, low complexity, and requires no user interaction. The application uses Node.js and has been affected since at least version 4.9.0, with the fix introduced in version 5.0.0 through a comprehensive UI overhaul and codebase refactoring.

RemediationAI

Upgrade to Chartbrew version 5.0.0 or later immediately, available at https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0. The vendor confirms no manual migration required for v4 users, though updating to Node.js v22+ is recommended. The patch addresses the authentication bypass through improved access control validation in public chart routes. If immediate patching is not feasible, implement compensating controls: disable team-level export functionality in admin settings to prevent chart data exports (trade-off: legitimate export features unavailable to all users), restrict public project access entirely until patching (trade-off: breaks intended public dashboard functionality), or implement reverse proxy/WAF rules to block unauthenticated requests to chart export endpoints matching patterns /api/*/chart/*/export or similar (trade-off: requires precise endpoint mapping and may break legitimate public access if rules are too broad). Review application logs for suspicious chart access patterns from unauthenticated sources prior to patching. Rotate any sensitive data exposed through hidden charts if unauthorized access is suspected.

CVE-2026-27005 CRITICAL POC
9.8 Mar 06

SQL injection in Chartbrew before 4.8.3. PoC available.

CVE-2026-25888 HIGH POC
8.8 Mar 06

Remote code execution in Chartbrew prior to version 4.8.1 allows authenticated attackers to execute arbitrary code throu

CVE-2026-27603 HIGH POC
7.5 Mar 06

Chartbrew versions up to 4.8.4 is affected by missing authentication for critical function (CVSS 7.5).

CVE-2026-25887 HIGH POC
7.2 Mar 06

Remote code execution in Chartbrew versions prior to 4.8.1 allows authenticated attackers with high privileges to execut

CVE-2026-25877 MEDIUM POC
6.5 Mar 06

Chartbrew versions before 4.8.1 fail to validate chart ownership during modification operations, allowing authenticated

CVE-2026-27605 MEDIUM POC
6.3 Mar 06

Chartbrew versions prior to 4.8.4 allow authenticated users to upload arbitrary files by bypassing file type validation,

CVE-2026-40600 HIGH
8.1 Apr 30

Authenticated users in Chartbrew 4.9.0 can modify or delete dashboard sharing policies across projects they don't own du

CVE-2026-40904 HIGH
8.1 Apr 30

Horizontal privilege escalation in Chartbrew 4.9.0 allows authenticated low-privilege team members to access datasets, d

CVE-2026-30232 HIGH
7.8 Apr 10

Server-Side Request Forgery in Chartbrew versions prior to 4.8.5 allows authenticated users to create API data connectio

CVE-2026-32252 HIGH
7.7 Apr 10

Cross-tenant authorization bypass in Chartbrew versions prior to 4.9.0 allows authenticated attackers to exfiltrate sens

CVE-2026-40601 HIGH
7.5 Apr 30

Unauthenticated remote attackers can access and refresh private chart data in Chartbrew 4.9.0 via an exposed API endpoin

CVE-2026-35514 MEDIUM
6.5 Apr 30

Unauthenticated account creation in Chartbrew 4.9.0 allows any remote attacker to bypass signup restrictions and create

Share

CVE-2026-40595 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy