CVE-2026-40904

April 30, 2026, 8:16 p.m.

8.1
High

Description

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes multiple dataset and dataRequest endpoints that authorize low-privileged project members at the team level instead of binding the requested dataset_id, dataRequest id, and connection_id to the caller's allowed projects. An authenticated attacker who only has access to one project inside a team can read, execute, create, update, and delete datasets and data requests that belong to other projects in the same team. The issue is exploitable remotely with ordinary project-level credentials and leads to cross-project data disclosure and unauthorized use of victim-side database or API connections. This issue has been patched in version 5.0.0.

Product(s) Impacted

Vendor Product Versions
Chartbrew
  • Chartbrew
  • 4.9.0, 5.0.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-284
Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a chartbrew chartbrew 4.9.0 / / / / / / /
a chartbrew chartbrew 5.0.0 / / / / / / /

References

https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0
https://github.com/chartbrew/chartbrew/security/advisories/GHSA-jq95-gqww-vhm3
https://github.com/chartbrew/chartbrew/security/advisories/GHSA-jq95-gqww-vhm3

Tags

CWE-284
[email protected]
2026-04-30
CVE-2026-40904

CVSS Score

8.1 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

    View Vector String

Timeline

Published: April 30, 2026, 7:16 p.m.
Last Modified: April 30, 2026, 8:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.