Skip to main content

Chartbrew CVE-2026-40904

| EUVDEUVD-2026-26411 HIGH
Improper Access Control (CWE-284)
2026-04-30 GitHub_M
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Source Code Evidence Fetched
Apr 30, 2026 - 19:15 vuln.today
Analysis Generated
Apr 30, 2026 - 19:15 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 19:00 euvd
EUVD-2026-26411
Analysis Generated
Apr 30, 2026 - 19:00 vuln.today
CVE Published
Apr 30, 2026 - 18:20 nvd
HIGH 8.1

DescriptionGitHub Advisory

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes multiple dataset and dataRequest endpoints that authorize low-privileged project members at the team level instead of binding the requested dataset_id, dataRequest id, and connection_id to the caller's allowed projects. An authenticated attacker who only has access to one project inside a team can read, execute, create, update, and delete datasets and data requests that belong to other projects in the same team. The issue is exploitable remotely with ordinary project-level credentials and leads to cross-project data disclosure and unauthorized use of victim-side database or API connections. This issue has been patched in version 5.0.0.

AnalysisAI

Horizontal privilege escalation in Chartbrew 4.9.0 allows authenticated low-privilege team members to access datasets, data requests, and database connections belonging to other projects within the same team. Attackers with credentials to any single project can read, modify, create, and delete data assets across all sibling projects by exploiting missing project-level authorization checks on multiple API endpoints. This enables cross-project data exfiltration and unauthorized execution of victim database queries remotely with low complexity (EPSS not provided, no CISA KEV listing, vendor-patched in v5.0.0).

Technical ContextAI

Chartbrew is an open-source data visualization platform that connects to databases and APIs to generate charts. The vulnerability stems from CWE-284 (Improper Access Control) where the application performs authorization at the team membership level rather than validating project-specific ownership. The affected endpoints (dataset, dataRequest, connection management APIs) fail to bind the requested resource IDs (dataset_id, dataRequest_id, connection_id) to the authenticated caller's authorized project scope. This creates a horizontal privilege escalation condition where any valid team-level credential grants access to resources across all projects within that organizational boundary, bypassing intended project isolation.

RemediationAI

Upgrade to Chartbrew version 5.0.0 or later, released by the vendor to address this authorization flaw (https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0). The v5.0.0 release notes confirm migration from v4 requires no manual steps, though upgrading to Node.js v22+ is recommended. Until patching is complete, restrict team membership to only fully trusted users who should have access to all projects within the team, effectively treating team-level access as equivalent to cross-project access. Audit existing team configurations to identify users with access to multiple projects and review application logs for suspicious cross-project dataset or dataRequest API calls from accounts that should have limited project scope. Network segmentation or authentication proxy rules cannot effectively mitigate this flaw as it requires valid credentials; the only compensating control is limiting the trust boundary to match the team boundary until the patch is applied.

CVE-2026-27005 CRITICAL POC
9.8 Mar 06

SQL injection in Chartbrew before 4.8.3. PoC available.

CVE-2026-25888 HIGH POC
8.8 Mar 06

Remote code execution in Chartbrew prior to version 4.8.1 allows authenticated attackers to execute arbitrary code throu

CVE-2026-27603 HIGH POC
7.5 Mar 06

Chartbrew versions up to 4.8.4 is affected by missing authentication for critical function (CVSS 7.5).

CVE-2026-25887 HIGH POC
7.2 Mar 06

Remote code execution in Chartbrew versions prior to 4.8.1 allows authenticated attackers with high privileges to execut

CVE-2026-25877 MEDIUM POC
6.5 Mar 06

Chartbrew versions before 4.8.1 fail to validate chart ownership during modification operations, allowing authenticated

CVE-2026-27605 MEDIUM POC
6.3 Mar 06

Chartbrew versions prior to 4.8.4 allow authenticated users to upload arbitrary files by bypassing file type validation,

CVE-2026-40600 HIGH
8.1 Apr 30

Authenticated users in Chartbrew 4.9.0 can modify or delete dashboard sharing policies across projects they don't own du

CVE-2026-30232 HIGH
7.8 Apr 10

Server-Side Request Forgery in Chartbrew versions prior to 4.8.5 allows authenticated users to create API data connectio

CVE-2026-32252 HIGH
7.7 Apr 10

Cross-tenant authorization bypass in Chartbrew versions prior to 4.9.0 allows authenticated attackers to exfiltrate sens

CVE-2026-40601 HIGH
7.5 Apr 30

Unauthenticated remote attackers can access and refresh private chart data in Chartbrew 4.9.0 via an exposed API endpoin

CVE-2026-40595 HIGH
7.5 Apr 30

Chartbrew 4.9.0 allows unauthenticated attackers to access hidden chart data via authentication bypass in public chart e

CVE-2026-35514 MEDIUM
6.5 Apr 30

Unauthenticated account creation in Chartbrew 4.9.0 allows any remote attacker to bypass signup restrictions and create

Share

CVE-2026-40904 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy