CVE-2026-40595
Chartbrew Public Chart Data Exposure via Unauthorized Access
Publication date: 2026-04-30
Last updated on: 2026-04-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chartbrew | chartbrew | to 5.0.0 (exc) |
| chartbrew | chartbrew | 5.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40595 is an Incorrect Access Control vulnerability in Chartbrew versions up to 4.9.0. The issue arises because public chart retrieval and export routes only verify if the project is public and, for exports, if the team allows report exports, but they do not check whether the specific chart is allowed on the public report or if the SharePolicy permits public access.
As a result, an unauthenticated attacker who knows a chart identifier in a public project can read or export chart data for charts that were intentionally hidden from the public report, exposing data meant for internal use only.
This vulnerability was patched in Chartbrew version 5.0.0.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Chartbrew to version 5.0.0 or later, where the issue has been patched.
This update includes security enhancements such as invite token validation, access-control refinements, report access hardening, and share-policy protections that address the incorrect access control vulnerability.
How can this vulnerability impact me? :
The primary impact of this vulnerability is unauthorized access to sensitive data. An attacker without authentication can access or export chart data that was intended to be hidden or restricted.
This could lead to exposure of confidential or internal information, potentially harming privacy, business confidentiality, or competitive advantage.
The export functionality may provide more complete data than what is visible in the user interface, increasing the risk of sensitive data leakage.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to access and export chart data that was intended to be hidden or restricted, potentially exposing sensitive or internal data.
Such unauthorized data exposure could lead to non-compliance with data protection regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive information.
Because the flaw permits access to data without proper authorization, organizations using affected versions of Chartbrew might risk violating privacy and security requirements mandated by these standards.