CVE-2026-40904 - Vulnerability Details

- Chartbrew: Incorrect Access Control in dataset and dataRequest routes via team-scoped permission checks

Description

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes multiple dataset and dataRequest endpoints that authorize low-privileged project members at the team level instead of binding the requested dataset_id, dataRequest id, and connection_id to the caller's allowed projects. An authenticated attacker who only has access to one project inside a team can read, execute, create, update, and delete datasets and data requests that belong to other projects in the same team. The issue is exploitable remotely with ordinary project-level credentials and leads to cross-project data disclosure and unauthorized use of victim-side database or API connections. This issue has been patched in version 5.0.0.

Published: 2026-04-30

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Chartbrew has an incorrect access control check in its dataset and dataRequest endpoints, allowing a user with only project-level permissions to reference any dataset or request belonging to other projects within the same team. This weakness can be exploited remotely by an authenticated attacker and enables the attacker to read, execute, create, update, and delete data from other projects. The exploit is based on CWE‑284 (Improper Access Control).

Affected Systems

The vulnerability affects the open‑source application Chartbrew, specifically versions starting with 4.9.0. It has been fixed in release 5.0.0 and later.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The attack requires only ordinary project-level credentials and can be carried out remotely, giving an attacker broad unauthorized access within a team environment.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

chartbrew

affected

Version	Status	Constraints
`= 4.9.0`	affected	—

No data.

Vendor Product Confidence Versions

Chartbrew

100%

Version	Status	Scheme	Platform
`4.9.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Chartbrew version 5.0.0 or later to apply the vendor‑supplied fix.
If an upgrade is not immediately possible, remove or revoke low‑privileged project members from team scopes to reduce the attack surface.
Audit and adjust data access controls so that dataset identifiers, data request IDs, and connection IDs are validated against the caller’s authorized projects.

Generated by OpenCVE AI on May 1, 2026 at 05:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0
https://github.com/chartbrew/chartbrew/security/advisories/GHSA-jq95-gqww-vhm3

History

Thu, 30 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Chartbrew Chartbrew chartbrew
Vendors & Products		Chartbrew Chartbrew chartbrew

Thu, 30 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 30 Apr 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes multiple dataset and dataRequest endpoints that authorize low-privileged project members at the team level instead of binding the requested dataset_id, dataRequest id, and connection_id to the caller's allowed projects. An authenticated attacker who only has access to one project inside a team can read, execute, create, update, and delete datasets and data requests that belong to other projects in the same team. The issue is exploitable remotely with ordinary project-level credentials and leads to cross-project data disclosure and unauthorized use of victim-side database or API connections. This issue has been patched in version 5.0.0.
Title		Chartbrew: Incorrect Access Control in dataset and dataRequest routes via team-scoped permission checks
Weaknesses		CWE-284
References		https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0 https://github.com/chartbrew/chartbrew/security/advisories/GHSA-jq95-gqww-vhm3
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Chartbrew Chartbrew

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-30T18:20:44.432Z

Updated: 2026-04-30T19:12:25.629Z

Reserved: 2026-04-15T16:37:22.767Z

Link: CVE-2026-40904

Vulnrichment

Updated: 2026-04-30T18:56:42.573Z

NVD

Status : Deferred

Published: 2026-04-30T19:16:10.433

Modified: 2026-05-01T15:31:02.467

Link: CVE-2026-40904

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T05:15:09Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object