CVE-2026-40601
Chartbrew Unauthenticated Data Refresh Vulnerability
Publication date: 2026-04-30
Last updated on: 2026-04-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chartbrew | chartbrew | to 5.0.0 (exc) |
| chartbrew | chartbrew | 5.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40601 is a vulnerability in Chartbrew versions 4.9.0 and earlier where the POST /api/chart/:chart_id/query endpoint lacks proper authorization checks.
This endpoint only verifies a team-level flag called allowReportRefresh but does not confirm whether the chart belongs to a public report, if the project is public, or if sharing policies allow the operation.
As a result, an unauthenticated attacker who knows a chart identifier can trigger a data refresh and retrieve data from private charts, exposing sensitive information.
This issue is classified as CWE-862 (Missing Authorization) and was fixed in Chartbrew version 5.0.0.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive data contained in private charts.
An attacker without any authentication can access and refresh data from private projects, potentially exposing confidential or proprietary information.
The CVSS score of 7.5 indicates a high severity impact on confidentiality, meaning the breach of data privacy is significant.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to send an unauthenticated POST request to the endpoint /api/chart/:chart_id/query on the Chartbrew server. If the server responds with chart data without requiring authentication, it indicates the presence of the vulnerability.
A suggested command to test this is using curl to send a POST request with an empty variables object to a known chart ID, for example:
- curl -X POST https://your-chartbrew-instance/api/chart/42/query -d '{}' -H 'Content-Type: application/json'
If this command returns chart data including sensitive fields without authentication, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Chartbrew to version 5.0.0 or later, where the issue has been patched.
Until the upgrade can be performed, restrict access to the /api/chart/:chart_id/query endpoint by implementing network-level controls such as firewall rules or reverse proxy authentication to prevent unauthenticated access.
Additionally, review and adjust team and project sharing policies to limit exposure of sensitive data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to access private chart data, potentially exposing sensitive information without authorization.
Such unauthorized data exposure can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over access to personal and sensitive data.
Because the flaw permits retrieval of confidential data from private projects, it undermines confidentiality requirements mandated by these regulations, increasing the risk of non-compliance.