Skip to main content

Chartbrew CVE-2026-40600

| EUVDEUVD-2026-26408 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-30 GitHub_M
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Source Code Evidence Fetched
Apr 30, 2026 - 19:16 vuln.today
Analysis Generated
Apr 30, 2026 - 19:16 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 19:00 euvd
EUVD-2026-26408
Analysis Generated
Apr 30, 2026 - 19:00 vuln.today
CVE Published
Apr 30, 2026 - 18:22 nvd
HIGH 8.1

DescriptionGitHub Advisory

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record that belongs to a different project. The affected routes authorize the caller against the project in the URL path, but they never verify that policy_id belongs to that project. This permits cross-project modification of dashboard sharing rules, including visibility, password requirements, allowed parameters, and expiration settings. This issue has been patched in version 5.0.0.

AnalysisAI

Authenticated users in Chartbrew 4.9.0 can modify or delete dashboard sharing policies across projects they don't own due to insufficient authorization checks. An attacker with legitimate access to one project can manipulate SharePolicy records (visibility settings, passwords, allowed parameters, expiration dates) for dashboards in any other project within the same Chartbrew instance. While CVSS rates this 8.1 HIGH, real-world risk depends heavily on multi-tenancy deployment: single-organization instances face lower insider threat exposure than multi-tenant SaaS scenarios. EPSS data not available. No public exploit identified at time of analysis, though exploitation requires only basic authenticated API access.

Technical ContextAI

This is an Insecure Direct Object Reference (IDOR) vulnerability (CWE-639: Authorization Bypass Through User-Controlled Key) in Chartbrew's SharePolicy management API. The application uses a web framework that authorizes API calls based on the project_id in the URL path but fails to validate that the policy_id parameter in the request body belongs to that same project. This broken object-level authorization allows horizontal privilege escalation across tenant boundaries. SharePolicy records control critical security functions for dashboard sharing: public visibility flags, password protection, parameter whitelisting, and time-based access expiration. The vulnerability exists in RESTful API endpoints (likely PUT/PATCH and DELETE routes) that accept both project_id (path parameter) and policy_id (body/query parameter) without cross-referencing them in the authorization layer.

RemediationAI

Upgrade immediately to Chartbrew version 5.0.0, released on the project's GitHub repository at https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0. According to the release notes, no manual migration is required and v4 users can update like any other version, though upgrading to Node.js v22+ is recommended. The fix implements proper authorization checks to verify that policy_id parameters belong to the project_id in the request path before allowing modification or deletion operations. For organizations unable to upgrade immediately, implement compensating controls at the reverse proxy or API gateway layer: add request validation middleware that queries the database to confirm policy_id ownership before forwarding PUT/PATCH/DELETE requests to SharePolicy endpoints (this adds latency and database load but prevents exploitation). Alternatively, restrict API access to SharePolicy routes using firewall rules or application-level ACLs to trusted administrator IPs only (this breaks legitimate multi-user workflows and is not sustainable long-term). Both workarounds are brittle and should be replaced with the official patch as soon as possible. Review SharePolicy audit logs for suspicious cross-project modifications between the 4.9.0 release date and your upgrade timestamp.

CVE-2026-27005 CRITICAL POC
9.8 Mar 06

SQL injection in Chartbrew before 4.8.3. PoC available.

CVE-2026-25888 HIGH POC
8.8 Mar 06

Remote code execution in Chartbrew prior to version 4.8.1 allows authenticated attackers to execute arbitrary code throu

CVE-2026-27603 HIGH POC
7.5 Mar 06

Chartbrew versions up to 4.8.4 is affected by missing authentication for critical function (CVSS 7.5).

CVE-2026-25887 HIGH POC
7.2 Mar 06

Remote code execution in Chartbrew versions prior to 4.8.1 allows authenticated attackers with high privileges to execut

CVE-2026-25877 MEDIUM POC
6.5 Mar 06

Chartbrew versions before 4.8.1 fail to validate chart ownership during modification operations, allowing authenticated

CVE-2026-27605 MEDIUM POC
6.3 Mar 06

Chartbrew versions prior to 4.8.4 allow authenticated users to upload arbitrary files by bypassing file type validation,

CVE-2026-40904 HIGH
8.1 Apr 30

Horizontal privilege escalation in Chartbrew 4.9.0 allows authenticated low-privilege team members to access datasets, d

CVE-2026-30232 HIGH
7.8 Apr 10

Server-Side Request Forgery in Chartbrew versions prior to 4.8.5 allows authenticated users to create API data connectio

CVE-2026-32252 HIGH
7.7 Apr 10

Cross-tenant authorization bypass in Chartbrew versions prior to 4.9.0 allows authenticated attackers to exfiltrate sens

CVE-2026-40601 HIGH
7.5 Apr 30

Unauthenticated remote attackers can access and refresh private chart data in Chartbrew 4.9.0 via an exposed API endpoin

CVE-2026-40595 HIGH
7.5 Apr 30

Chartbrew 4.9.0 allows unauthenticated attackers to access hidden chart data via authentication bypass in public chart e

CVE-2026-35514 MEDIUM
6.5 Apr 30

Unauthenticated account creation in Chartbrew 4.9.0 allows any remote attacker to bypass signup restrictions and create

Share

CVE-2026-40600 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy