Chartbrew CVE-2026-40595: Unauthenticated Data Exposure for Hidden Charts
The National Vulnerability Database has disclosed CVE-2026-40595, a high-severity vulnerability (CVSS 7.5) affecting Chartbrew, an open-source web application for data visualization. This flaw, present in version 4.9.0, allows an unauthenticated attacker to access and export data from charts that were explicitly hidden from public reports.
The vulnerability stems from insufficient access controls on public chart retrieval and export routes. According to the National Vulnerability Database, these routes only verify project-level public access and a team-level export toggle, failing to check if the specific chart is permitted for public display by its governing SharePolicy. An attacker only needs to know a chart identifier within a public project to exploit this.
This isn’t just a misconfiguration risk; it’s a fundamental design flaw that bypasses intended visibility restrictions. Defenders using Chartbrew 4.9.0 or earlier must recognize that ‘hidden’ charts are anything but. The issue has been patched in version 5.0.0, making an immediate upgrade critical for any organization leveraging Chartbrew for internal or external reporting.
What This Means For You
- If your organization uses Chartbrew, specifically version 4.9.0 or earlier, assume that any data visualized in 'hidden' charts within public projects is accessible to unauthenticated attackers. This is a direct data exposure risk. Prioritize upgrading to Chartbrew 5.0.0 immediately and conduct an audit of your Chartbrew instances to identify sensitive data that might have been inadvertently exposed.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Chartbrew Unauthenticated Public Chart Data Exposure - CVE-2026-40595
title: Chartbrew Unauthenticated Public Chart Data Exposure - CVE-2026-40595
id: scw-2026-04-30-ai-1
status: experimental
level: high
description: |
Detects attempts to access or export chart data via the /api/charts/ or /api/charts/export/ endpoints in Chartbrew versions prior to 5.0.0. This rule specifically targets the unauthenticated data exposure vulnerability (CVE-2026-40595) where an attacker can retrieve data for charts that were intended to be hidden from public reports.
author: SCW Feed Engine (AI-generated)
date: 2026-04-30
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-40595/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/charts/'
- '/api/charts/export/'
cs-method:
- 'GET'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40595 | Information Disclosure | Chartbrew versions prior to 5.0.0 |
| CVE-2026-40595 | Information Disclosure | Chartbrew vulnerable public chart retrieval and export routes |
| CVE-2026-40595 | Auth Bypass | Chartbrew insufficient verification of SharePolicy for public access |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 30, 2026 at 22:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7429 — The STL Processing Endpoint That Cross-Site Scripting (XSS)
CVE-2026-7429 — SSCMS v7.4.0 contains a reflected cross-site scripting vulnerability in the STL processing endpoint that allows attackers to execute arbitrary JavaScript by crafting malicious...
Daily Security Digest — 2026-04-30
20 vulnerability disclosures (3 Critical, 17 High) and 16 curated intelligence stories from 5 sources.
CVE-2026-7461: Amazon ECS Agent Vulnerability Allows SYSTEM Privilege Escalation
CVE-2026-7461 — Improper neutralization of inputs used in an OS command in the FSx Windows File Server volume mounting component in Amazon ECS Agent on...