CVE-2026-40603 - Vulnerability Details

- Chartbrew: Incorrect Access Control in /api/project/dashboard/:brewName via same-team override

Description

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes a legacy dashboard route that returns a project's report data to any authenticated member of the same team, even when that user does not have access to the specific project. The route bypasses project-level authorization and returns the raw project object. As a result, a low-privileged same-team user can read another project's dashboard data and recover the project's stored report password from the response. This issue has been patched in version 5.0.0.

Published: 2026-04-30

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability lies in an unauthorized access path that allows any authenticated member of a team to read dashboards of projects they are not granted explicit project‑level permissions for. This access bypasses normal authorization checks and exposes the raw project object, which can contain sensitive data such as stored report passwords. The flaw is a classic example of improper authorization (CWE-284), allowing a low‑privileged user to gain confidentiality information that should be restricted.

Affected Systems

The affected product is Chartbrew, the open‑source dashboard platform. Versions prior to the 5.0.0 release, including 4.9.0, contain the flaw. The issue was fixed in Chartbrew version 5.0.0, which removes the obsolete route and enforces proper project‑level checks.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score is not reported, and the vulnerability is not listed in the CISA KEV catalog. The attack can be executed by any authenticated user who shares a team with the targeted project, making the exploitable condition fairly common within internal teams. An attacker only needs to know the route pattern, send a request, and then capture the response that contains the sensitive project data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

chartbrew

affected

Version	Status	Constraints
`= 4.9.0`	affected	—

No data.

Vendor Product Confidence Versions

Chartbrew

100%

Version	Status	Scheme	Platform
`4.9.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Chartbrew to version 5.0.0 or newer to apply the vendor fix.
Verify that the legacy dashboard route has been disabled and that project‑level access controls are enforced for all API endpoints.
Audit and monitor API activity for unexpected access patterns, especially from users who are not owners of the accessed projects.

Generated by OpenCVE AI on May 1, 2026 at 05:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0
https://github.com/chartbrew/chartbrew/security/advisories/GHSA-6qr3-g75h-xm3f

History

Thu, 30 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Chartbrew Chartbrew chartbrew
Vendors & Products		Chartbrew Chartbrew chartbrew

Thu, 30 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 30 Apr 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes a legacy dashboard route that returns a project's report data to any authenticated member of the same team, even when that user does not have access to the specific project. The route bypasses project-level authorization and returns the raw project object. As a result, a low-privileged same-team user can read another project's dashboard data and recover the project's stored report password from the response. This issue has been patched in version 5.0.0.
Title		Chartbrew: Incorrect Access Control in /api/project/dashboard/:brewName via same-team override
Weaknesses		CWE-284
References		https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0 https://github.com/chartbrew/chartbrew/security/advisories/GHSA-6qr3-g75h-xm3f
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Chartbrew Chartbrew

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-30T18:23:39.706Z

Updated: 2026-04-30T19:04:07.506Z

Reserved: 2026-04-14T14:07:59.641Z

Link: CVE-2026-40603

Vulnrichment

Updated: 2026-04-30T19:04:04.528Z

NVD

Status : Deferred

Published: 2026-04-30T19:16:10.253

Modified: 2026-05-01T15:31:02.467

Link: CVE-2026-40603

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T05:15:09Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object