Skip to main content

Chartbrew CVE-2026-40601

| EUVDEUVD-2026-26409 HIGH
Missing Authorization (CWE-862)
2026-04-30 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Source Code Evidence Fetched
Apr 30, 2026 - 19:16 vuln.today
Analysis Generated
Apr 30, 2026 - 19:16 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 19:00 euvd
EUVD-2026-26409
Analysis Generated
Apr 30, 2026 - 19:00 vuln.today
CVE Published
Apr 30, 2026 - 18:22 nvd
HIGH 7.5

DescriptionGitHub Advisory

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes POST /api/chart/:chart_id/query without authentication. The endpoint only checks team.allowReportRefresh and does not verify that the target chart belongs to a public report, that the project is public, or that sharing policy allows the operation. An unauthenticated attacker who knows a chart identifier can trigger a data refresh and retrieve the current data of private charts. This issue has been patched in version 5.0.0.

AnalysisAI

Unauthenticated remote attackers can access and refresh private chart data in Chartbrew 4.9.0 via an exposed API endpoint. The POST /api/chart/:chart_id/query endpoint lacks authentication checks and fails to validate whether charts belong to public reports or if sharing policies permit access. Attackers possessing a chart identifier can retrieve sensitive data from private dashboards without credentials. EPSS data not available. Not listed in CISA KEV. Vendor-confirmed vulnerability with patch released in version 5.0.0.

Technical ContextAI

Chartbrew is an open-source business intelligence and data visualization platform that connects to databases and APIs to generate charts and dashboards. The vulnerability stems from CWE-862 (Missing Authorization), where the application performs a privilege check (team.allowReportRefresh) but fails to implement proper authorization logic. The endpoint does not validate the relationship between the requested chart and public sharing settings, nor does it verify the authenticated identity of the requester. This broken access control allows direct object reference attacks where knowledge of a chart ID circumvents all access controls. The affected CPE is cpe:2.3:a:chartbrew:chartbrew:*:*:*:*:*:*:*:* indicating the core Chartbrew application. The CVSS vector AV:N/AC:L/PR:N/UI:N indicates a remotely accessible API endpoint with no complexity barriers and no authentication requirement.

RemediationAI

Upgrade to Chartbrew version 5.0.0 or later, released by the vendor and available at https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0. The release notes confirm no manual migration is required from v4 to v5, though Node.js v22+ is recommended. The patch addresses the missing authentication checks on the chart query endpoint. If immediate upgrade is not feasible, implement network-level access controls to restrict the /api/chart/ endpoint paths to authenticated users only via reverse proxy rules (nginx, Apache, or application firewall). This workaround prevents unauthenticated external access but may interfere with legitimate public report functionality if such features are in use. Alternatively, audit all chart identifiers for exposure in logs, analytics, or public-facing pages, and rotate identifiers if possible (requires application-level changes beyond standard configuration). Review sharing policies and team settings to ensure private charts are not inadvertently configured with team.allowReportRefresh enabled. The network restriction approach has minimal side effects for authenticated users but requires infrastructure changes; identifier rotation is operationally complex.

CVE-2026-27005 CRITICAL POC
9.8 Mar 06

SQL injection in Chartbrew before 4.8.3. PoC available.

CVE-2026-25888 HIGH POC
8.8 Mar 06

Remote code execution in Chartbrew prior to version 4.8.1 allows authenticated attackers to execute arbitrary code throu

CVE-2026-27603 HIGH POC
7.5 Mar 06

Chartbrew versions up to 4.8.4 is affected by missing authentication for critical function (CVSS 7.5).

CVE-2026-25887 HIGH POC
7.2 Mar 06

Remote code execution in Chartbrew versions prior to 4.8.1 allows authenticated attackers with high privileges to execut

CVE-2026-25877 MEDIUM POC
6.5 Mar 06

Chartbrew versions before 4.8.1 fail to validate chart ownership during modification operations, allowing authenticated

CVE-2026-27605 MEDIUM POC
6.3 Mar 06

Chartbrew versions prior to 4.8.4 allow authenticated users to upload arbitrary files by bypassing file type validation,

CVE-2026-40600 HIGH
8.1 Apr 30

Authenticated users in Chartbrew 4.9.0 can modify or delete dashboard sharing policies across projects they don't own du

CVE-2026-40904 HIGH
8.1 Apr 30

Horizontal privilege escalation in Chartbrew 4.9.0 allows authenticated low-privilege team members to access datasets, d

CVE-2026-30232 HIGH
7.8 Apr 10

Server-Side Request Forgery in Chartbrew versions prior to 4.8.5 allows authenticated users to create API data connectio

CVE-2026-32252 HIGH
7.7 Apr 10

Cross-tenant authorization bypass in Chartbrew versions prior to 4.9.0 allows authenticated attackers to exfiltrate sens

CVE-2026-40595 HIGH
7.5 Apr 30

Chartbrew 4.9.0 allows unauthenticated attackers to access hidden chart data via authentication bypass in public chart e

CVE-2026-35514 MEDIUM
6.5 Apr 30

Unauthenticated account creation in Chartbrew 4.9.0 allows any remote attacker to bypass signup restrictions and create

Share

CVE-2026-40601 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy