Description
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes POST /api/chart/:chart_id/query without authentication. The endpoint only checks team.allowReportRefresh and does not verify that the target chart belongs to a public report, that the project is public, or that sharing policy allows the operation. An unauthenticated attacker who knows a chart identifier can trigger a data refresh and retrieve the current data of private charts. This issue has been patched in version 5.0.0.
Published: 2026-04-30
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Chartbrew exposes a POST endpoint that triggers a data refresh for a chart without requiring authentication. An attacker who can determine a chart identifier can use this to view the current data of private charts, effectively exfiltrating confidential information. The weakness is a missing authorization control, classified as CWE‑862.

Affected Systems

The vulnerability affects Chartbrew version 4.9.0. It was fixed in version 5.0.0. All deployments of the 4.9.x series that include the /api/chart/:chart_id/query endpoint are potentially exploitable.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. No EPSS score is published, and the issue is not listed in CISA KEV. The attack path is a remote HTTP POST to /api/chart/:chart_id/query; an attacker only needs a valid chart ID, which may be discovered through enumeration or public references. Since authentication is not enforced, the vulnerability can be exploited from any network that can reach the API endpoint.

Generated by OpenCVE AI on May 1, 2026 at 05:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chartbrew to version 5.0.0 or later where the endpoint requires authentication.
  • If an upgrade cannot be applied immediately, block unauthenticated POST requests to /api/chart/:chart_id/query by configuring a reverse proxy or firewall rule that enforces authentication or drops the request.
  • Enable logging or monitoring for POST requests to /api/chart/* and investigate suspicious activity, ensuring that only authenticated users trigger chart refreshes.

Generated by OpenCVE AI on May 1, 2026 at 05:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Chartbrew
Chartbrew chartbrew
Vendors & Products Chartbrew
Chartbrew chartbrew

Thu, 30 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes POST /api/chart/:chart_id/query without authentication. The endpoint only checks team.allowReportRefresh and does not verify that the target chart belongs to a public report, that the project is public, or that sharing policy allows the operation. An unauthenticated attacker who knows a chart identifier can trigger a data refresh and retrieve the current data of private charts. This issue has been patched in version 5.0.0.
Title Chartbrew: Missing Authorization in /api/chart/:chart_id/query via team-level refresh toggle
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Chartbrew Chartbrew
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-30T18:22:43.557Z

Reserved: 2026-04-14T14:07:59.641Z

Link: CVE-2026-40601

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-04-30T19:16:10.110

Modified: 2026-05-01T15:31:02.467

Link: CVE-2026-40601

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:15:09Z

Weaknesses