Skip to main content

Chartbrew EUVDEUVD-2026-26410

| CVE-2026-40603 MEDIUM
Improper Access Control (CWE-284)
2026-04-30 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Source Code Evidence Fetched
Apr 30, 2026 - 19:16 vuln.today
Analysis Generated
Apr 30, 2026 - 19:16 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 19:00 euvd
EUVD-2026-26410
Analysis Generated
Apr 30, 2026 - 19:00 vuln.today
CVE Published
Apr 30, 2026 - 18:23 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes a legacy dashboard route that returns a project's report data to any authenticated member of the same team, even when that user does not have access to the specific project. The route bypasses project-level authorization and returns the raw project object. As a result, a low-privileged same-team user can read another project's dashboard data and recover the project's stored report password from the response. This issue has been patched in version 5.0.0.

AnalysisAI

Chartbrew 4.9.0 fails to properly enforce project-level access controls on a legacy dashboard route, allowing any authenticated team member to read another team member's project report data and extract stored report passwords. The vulnerability affects users without explicit project access but with team membership, who can leverage the unprotected endpoint to view sensitive dashboard configurations and credentials. Patched in version 5.0.0.

Technical ContextAI

Chartbrew is an open-source data visualization platform that connects to databases and APIs to generate charts and dashboards. The vulnerability exists in a legacy API endpoint responsible for serving project dashboard data. The root cause is an authorization bypass (CWE-284: Improper Access Control) where the endpoint validates team membership but fails to verify project-level permissions. The endpoint returns the raw project object including sensitive fields such as stored report passwords. This is a common pattern in multi-tenant applications where endpoint-level access control neglects to implement role-based access control (RBAC) at the resource level, allowing horizontal privilege escalation within a team scope.

RemediationAI

Upgrade Chartbrew immediately to version 5.0.0 or later, which includes the authorization control patch. The upgrade path is straightforward for v4 users and does not require manual migration. If immediate upgrade is not feasible, restrict network access to the Chartbrew application to trusted internal users only, or implement reverse-proxy authentication requiring explicit project membership verification at the network layer. However, these workarounds do not address the underlying authorization flaw and should be considered temporary only. Monitor access logs for suspicious cross-project requests from low-privileged team members. See patch details and release notes at https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0 and security advisory at https://github.com/chartbrew/chartbrew/security/advisories/GHSA-6qr3-g75h-xm3f.

CVE-2026-27005 CRITICAL POC
9.8 Mar 06

SQL injection in Chartbrew before 4.8.3. PoC available.

CVE-2026-25888 HIGH POC
8.8 Mar 06

Remote code execution in Chartbrew prior to version 4.8.1 allows authenticated attackers to execute arbitrary code throu

CVE-2026-27603 HIGH POC
7.5 Mar 06

Chartbrew versions up to 4.8.4 is affected by missing authentication for critical function (CVSS 7.5).

CVE-2026-25887 HIGH POC
7.2 Mar 06

Remote code execution in Chartbrew versions prior to 4.8.1 allows authenticated attackers with high privileges to execut

CVE-2026-25877 MEDIUM POC
6.5 Mar 06

Chartbrew versions before 4.8.1 fail to validate chart ownership during modification operations, allowing authenticated

CVE-2026-27605 MEDIUM POC
6.3 Mar 06

Chartbrew versions prior to 4.8.4 allow authenticated users to upload arbitrary files by bypassing file type validation,

CVE-2026-40600 HIGH
8.1 Apr 30

Authenticated users in Chartbrew 4.9.0 can modify or delete dashboard sharing policies across projects they don't own du

CVE-2026-40904 HIGH
8.1 Apr 30

Horizontal privilege escalation in Chartbrew 4.9.0 allows authenticated low-privilege team members to access datasets, d

CVE-2026-30232 HIGH
7.8 Apr 10

Server-Side Request Forgery in Chartbrew versions prior to 4.8.5 allows authenticated users to create API data connectio

CVE-2026-32252 HIGH
7.7 Apr 10

Cross-tenant authorization bypass in Chartbrew versions prior to 4.9.0 allows authenticated attackers to exfiltrate sens

CVE-2026-40601 HIGH
7.5 Apr 30

Unauthenticated remote attackers can access and refresh private chart data in Chartbrew 4.9.0 via an exposed API endpoin

CVE-2026-40595 HIGH
7.5 Apr 30

Chartbrew 4.9.0 allows unauthenticated attackers to access hidden chart data via authentication bypass in public chart e

Share

EUVD-2026-26410 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy