CVE-2026-40600
Authenticated Users Can Modify Cross-Project SharePolicy in Chartbrew
Publication date: 2026-04-30
Last updated on: 2026-04-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chartbrew | chartbrew | to 5.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40600 is an Incorrect Access Control vulnerability in Chartbrew versions 4.9.0 and earlier. It allows authenticated users who have access to one project to update or delete SharePolicy records that belong to a different project.
The problem arises because the affected routes authorize requests based on the project ID in the URL path but do not verify that the policy_id parameter actually belongs to that project. This means users can manipulate dashboard sharing rules across projects.
Specifically, an attacker with valid credentials for any project can exploit this by knowing or enumerating a victim's policy_id to change visibility settings, password requirements, allowed parameters, and expiration times of dashboards they should not have access to.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized weakening of access restrictions on dashboards, exposure of sensitive information, and disruption of legitimate sharing workflows.
- An attacker can make a private dashboard public.
- An attacker can delete sharing policies entirely, removing access controls.
Because the attack requires only low privileges, no user interaction, and can be executed remotely, it poses a high risk to the confidentiality and integrity of dashboard data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized modification or deletion of SharePolicy records across projects by authenticated users. Detection involves monitoring for unusual API requests that attempt to update or delete SharePolicy records where the policy_id does not belong to the project specified in the URL path.
Specifically, you can look for requests to the SharePolicyController endpoints that include a policy_id parameter referencing policies outside the authenticated user's project scope.
Commands or methods to detect this might include:
- Review web server or application logs for HTTP requests to SharePolicy update or delete routes with mismatched project and policy_id parameters.
- Use grep or similar tools to search logs for suspicious API calls, for example: grep -E 'PATCH|DELETE' /path/to/logs | grep 'policy_id='
- Implement monitoring or alerting rules that flag requests where the authenticated user's project ID does not match the project ID associated with the policy_id being modified.
Note that the vulnerability requires knowledge or enumeration of valid policy_id values from other projects, so detection may also involve identifying unusual enumeration patterns or repeated access attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Chartbrew to version 5.0.0 or later, where this vulnerability has been patched.
Until the upgrade can be performed, consider restricting access to the affected SharePolicy update and delete routes to only trusted users or projects.
Additionally, review and tighten access control policies to ensure that users cannot modify or delete SharePolicy records outside their authorized projects.
Monitor logs for suspicious activity related to SharePolicy modifications and respond promptly to any unauthorized attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized modification or deletion of SharePolicy records across projects, potentially weakening access restrictions and exposing sensitive dashboard data.
Such unauthorized access and exposure of sensitive information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal or sensitive data.
By enabling attackers to alter visibility, password requirements, and expiration settings of shared dashboards, the vulnerability increases the risk of data leakage or unauthorized data sharing, which may violate these regulatory standards.