Chartbrew CVE-2026-40601: Unauthenticated Data Exposure

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-862
Chartbrew CVE-2026-40601: Unauthenticated Data Exposure

The National Vulnerability Database (NVD) reports a critical vulnerability, CVE-2026-40601, in Chartbrew, an open-source web application designed for data visualization. Affecting version 4.9.0, this flaw allows an unauthenticated attacker to trigger a data refresh and retrieve sensitive information from private charts. The issue stems from the POST /api/chart/:chart_id/query endpoint failing to properly verify if a target chart belongs to a public report or if sharing policies permit the operation.

Specifically, the NVD notes that the endpoint only checks team.allowReportRefresh, bypassing crucial authentication and authorization checks. An attacker only needs to know a chart identifier to exploit this, making it a straightforward path to data exfiltration. The CVSS score of 7.5 (High) reflects the severity, with a vector indicating network-based attack, low complexity, no privileges required, and high confidentiality impact.

This vulnerability fundamentally undermines the confidentiality of data managed by Chartbrew instances. Organizations using Chartbrew for internal dashboards or client reporting could inadvertently expose sensitive business metrics, operational data, or even customer information. Defenders need to recognize that this isn’t just a theoretical risk; it’s a direct route for any attacker with basic reconnaissance capabilities to pull private data without authentication.

What This Means For You

  • If your organization uses Chartbrew, immediately verify your version. If you are running version 4.9.0 or earlier, you are directly exposed to CVE-2026-40601. Patch to version 5.0.0 or later without delay. Prioritize this fix, as an unauthenticated attacker can retrieve private chart data with minimal effort.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Cloud Accounts Persistence T1537 Cloud Service Discovery Discovery

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

Chartbrew Unauthenticated Chart Data Exposure via POST /api/chart/:chart_id/query - CVE-2026-40601

Sigma YAML — free preview 
title: Chartbrew Unauthenticated Chart Data Exposure via POST /api/chart/:chart_id/query - CVE-2026-40601
id: scw-2026-04-30-ai-1
status: experimental
level: high
description: |
  Detects unauthenticated POST requests to the /api/chart/:chart_id/query endpoint in Chartbrew versions prior to 5.0.0. This specific endpoint was vulnerable to unauthenticated data exposure as it did not properly check authorization before refreshing and returning chart data, allowing attackers to access private chart data.
author: SCW Feed Engine (AI-generated)
date: 2026-04-30
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-40601/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-method:
          - 'POST'
      cs-uri|contains:
          - '/api/chart/'
          - '/query'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40601 Information Disclosure Chartbrew versions < 5.0.0
CVE-2026-40601 Auth Bypass Chartbrew POST /api/chart/:chart_id/query endpoint
CVE-2026-40601 Information Disclosure Unauthenticated access to private chart data via POST /api/chart/:chart_id/query in Chartbrew

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 30, 2026 at 22:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7429 — The STL Processing Endpoint That Cross-Site Scripting (XSS)

CVE-2026-7429 — SSCMS v7.4.0 contains a reflected cross-site scripting vulnerability in the STL processing endpoint that allows attackers to execute arbitrary JavaScript by crafting malicious...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /MEDIUM /4.6 /⚑ 2 IOCs /⚙ 3 Sigma
Featured

Daily Security Digest — 2026-04-30

20 vulnerability disclosures (3 Critical, 17 High) and 16 curated intelligence stories from 5 sources.

daily-digestvulnerabilityCVEhigh-severityout-of-bounds-1cwe-125path-traversalcwe-23null-pointer-dereferencecwe-476
/SCW Daily Digest /CRITICAL

CVE-2026-7461: Amazon ECS Agent Vulnerability Allows SYSTEM Privilege Escalation

CVE-2026-7461 — Improper neutralization of inputs used in an OS command in the FSx Windows File Server volume mounting component in Amazon ECS Agent on...

vulnerabilityCVEhigh-severitycwe-78
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 4 IOCs /⚙ 3 Sigma