CVE-2026-40601
Received Received - Intake
Chartbrew Unauthenticated Data Refresh Vulnerability

Publication date: 2026-04-30

Last updated on: 2026-04-30

Assigner: GitHub, Inc.

Description
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes POST /api/chart/:chart_id/query without authentication. The endpoint only checks team.allowReportRefresh and does not verify that the target chart belongs to a public report, that the project is public, or that sharing policy allows the operation. An unauthenticated attacker who knows a chart identifier can trigger a data refresh and retrieve the current data of private charts. This issue has been patched in version 5.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40601
EUVD
EUVD-2026-26409
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
chartbrew chartbrew to 5.0.0 (exc)
chartbrew chartbrew 5.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40601 is a vulnerability in Chartbrew versions 4.9.0 and earlier where the POST /api/chart/:chart_id/query endpoint lacks proper authorization checks.

This endpoint only verifies a team-level flag called allowReportRefresh but does not confirm whether the chart belongs to a public report, if the project is public, or if sharing policies allow the operation.

As a result, an unauthenticated attacker who knows a chart identifier can trigger a data refresh and retrieve data from private charts, exposing sensitive information.

This issue is classified as CWE-862 (Missing Authorization) and was fixed in Chartbrew version 5.0.0.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive data contained in private charts.

An attacker without any authentication can access and refresh data from private projects, potentially exposing confidential or proprietary information.

The CVSS score of 7.5 indicates a high severity impact on confidentiality, meaning the breach of data privacy is significant.

Detection Guidance

This vulnerability can be detected by attempting to send an unauthenticated POST request to the endpoint /api/chart/:chart_id/query on the Chartbrew server. If the server responds with chart data without requiring authentication, it indicates the presence of the vulnerability.

A suggested command to test this is using curl to send a POST request with an empty variables object to a known chart ID, for example:

  • curl -X POST https://your-chartbrew-instance/api/chart/42/query -d '{}' -H 'Content-Type: application/json'

If this command returns chart data including sensitive fields without authentication, the system is vulnerable.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Chartbrew to version 5.0.0 or later, where the issue has been patched.

Until the upgrade can be performed, restrict access to the /api/chart/:chart_id/query endpoint by implementing network-level controls such as firewall rules or reverse proxy authentication to prevent unauthenticated access.

Additionally, review and adjust team and project sharing policies to limit exposure of sensitive data.

Compliance Impact

This vulnerability allows unauthenticated attackers to access private chart data, potentially exposing sensitive information without authorization.

Such unauthorized data exposure can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over access to personal and sensitive data.

Because the flaw permits retrieval of confidential data from private projects, it undermines confidentiality requirements mandated by these regulations, increasing the risk of non-compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40601. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart