Description
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record that belongs to a different project. The affected routes authorize the caller against the project in the URL path, but they never verify that policy_id belongs to that project. This permits cross-project modification of dashboard sharing rules, including visibility, password requirements, allowed parameters, and expiration settings. This issue has been patched in version 5.0.0.
Published: 2026-04-30
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Chartbrew, an open‑source web application for building charts from databases and APIs, contains an access‑control flaw in its share‑policy routes. The application authenticates the caller against the project specified in the URL path but ignores the policy_id supplied in the request. An attacker that is authenticated and has permission to a single project can therefore update or delete SharePolicy records that belong to any other project. This ability lets an attacker change visibility settings, password protection, allowed parameters, and expiration options for dashboards that the attacker does not own, effectively leaking data that should be confined to another project.

Affected Systems

The vulnerability affects Chartbrew engine versions released up to 4.9.0. The fixed version that includes the proper policy_id verification is 5.0.0, released on the project's GitHub releases page. The issue is specific to the chartbrew:chartbrew product as distributed by the developers.

Risk and Exploitability

A CVSS score of 8.1 categorizes this flaw as a high‑severity vulnerability. The EPSS score is not provided, so the exact exploitation probability is unknown, but the required attacker capability is modest: any user who can log in and has project access. Because the flaw permits modification of share settings, an attacker can expose sensitive data or alter dashboard behavior on projects they do not own. The vulnerability is not currently listed in the CISA KEV catalog, suggesting no widespread exploitation has been observed yet. However, the lack of verification of policy_id means the attack path is straightforward for any authenticated user with any project access.

Generated by OpenCVE AI on May 1, 2026 at 05:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch by upgrading Chartbrew to version 5.0.0 or later. This release includes a check that guarantees the policy_id belongs to the project referenced in the URL path.
  • If an immediate upgrade is not possible, restrict project access to trusted users and implement the least‑privilege principle so that users can only view or edit policies for projects they own or have explicit permissions for.
  • Conduct a security review of the share‑policy routes to confirm that no other endpoints provide similar cross‑project access, and monitor logs for unauthorized policy modifications.

Generated by OpenCVE AI on May 1, 2026 at 05:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Chartbrew
Chartbrew chartbrew
Vendors & Products Chartbrew
Chartbrew chartbrew

Thu, 30 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record that belongs to a different project. The affected routes authorize the caller against the project in the URL path, but they never verify that policy_id belongs to that project. This permits cross-project modification of dashboard sharing rules, including visibility, password requirements, allowed parameters, and expiration settings. This issue has been patched in version 5.0.0.
Title Chartbrew: Incorrect Access Control in project share policy routes via unbound policy_id
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Chartbrew Chartbrew
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-30T18:51:59.306Z

Reserved: 2026-04-14T14:07:59.641Z

Link: CVE-2026-40600

cve-icon Vulnrichment

Updated: 2026-04-30T18:50:23.833Z

cve-icon NVD

Status : Deferred

Published: 2026-04-30T19:16:09.957

Modified: 2026-05-01T15:31:02.467

Link: CVE-2026-40600

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:15:09Z

Weaknesses