Executive Summary

CVE-2026-40904 is a vulnerability in Chartbrew versions 4.9.0 and earlier where the application incorrectly enforces access control on dataset and dataRequest endpoints.

Instead of restricting access to datasets and data requests based on the specific project the user belongs to, the system only checks if the user has team-level access. This means an authenticated user with access to one project in a team can access, modify, or delete datasets and data requests belonging to other projects within the same team.

The flaw arises because permission checks do not verify that the requested dataset_id, dataRequest id, or connection_id actually belong to the caller's allowed projects, allowing cross-project unauthorized actions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including unauthorized disclosure and modification of data across projects within the same team.

• An attacker with access to one project can read sensitive data from other projects.
• They can execute data requests on behalf of other projects, potentially running queries against victim-owned database or API connections.
• Attackers can create, update, or delete datasets and data requests in other projects, leading to data tampering or disruption of data retrieval processes.

Overall, this leads to significant confidentiality and integrity risks, though availability is not affected.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves verifying whether an authenticated user with access to one project can access datasets or data requests belonging to other projects within the same team. Since the issue arises from improper access control on dataset and dataRequest endpoints, testing unauthorized cross-project access attempts can reveal the vulnerability.

Specifically, an attacker with valid credentials for one project can attempt to read, execute, create, update, or delete datasets or data requests from other projects by using the dataset_id, dataRequest id, or connection_id of those projects.

While no explicit commands are provided, detection can be performed by making authenticated API requests to the dataset and dataRequest endpoints with IDs from other projects and observing if access is granted.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Chartbrew to version 5.0.0 or later, where this vulnerability has been patched.

Until the upgrade can be performed, restrict access to the affected endpoints by limiting project-level user permissions and monitoring for suspicious cross-project access attempts.

Additionally, review team and project membership to ensure that only trusted users have access, and consider temporarily disabling or restricting API access to dataset and dataRequest routes if feasible.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an authenticated attacker to access, modify, and execute data requests and datasets across different projects within the same team, leading to unauthorized disclosure and tampering of potentially sensitive data.

Such unauthorized access and data disclosure can violate data protection principles required by common standards and regulations like GDPR and HIPAA, which mandate strict controls on data confidentiality, integrity, and access authorization.

Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to improper access control and potential exposure of sensitive personal or health-related data.

Useful 0 Not Useful 0