Chartbrew CVE-2026-40904 Exposes Cross-Project Data in v4.9.0

/HIGH /CVSS 8.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-284
Chartbrew CVE-2026-40904 Exposes Cross-Project Data in v4.9.0

A critical authorization flaw, CVE-2026-40904, has been identified in Chartbrew, an open-source web application for data visualization. The National Vulnerability Database reports that Chartbrew version 4.9.0 fails to properly bind dataset, data request, and connection IDs to a user’s permitted projects. Instead, it authorizes low-privileged project members at the broader team level, creating a significant security gap.

This misconfiguration allows an authenticated attacker with access to just one project within a team to gain unauthorized read, execute, create, update, and delete privileges over datasets and data requests belonging to other projects in the same team. The issue is remotely exploitable with standard project-level credentials, according to the National Vulnerability Database. This directly leads to cross-project data disclosure and unauthorized use of victim-side database or API connections.

The vulnerability carries a CVSS score of 8.1 (HIGH) and has been patched in Chartbrew version 5.0.0. Defenders must understand that this isn’t just about data visibility; it’s about control over critical data connections. An attacker could not only steal sensitive information but also manipulate data sources or even pivot to underlying databases through hijacked connections.

What This Means For You

  • If your organization uses Chartbrew, immediately check your version. If you are running 4.9.0 or earlier, upgrade to version 5.0.0 without delay. Audit logs for any suspicious activity related to dataset or data request manipulation, especially across different projects within the same team. This vulnerability allows low-privileged users to become high-impact threats, bypassing project-level segmentation that many teams rely on for data isolation.

Related ATT&CK Techniques

T1078.004 Abuse Elevation Control Mechanism: Default Account Persistence T1528 Steal Application Access Token Credential Access T1078 Valid Accounts Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1078.004 Defense Evasion

CVE-2026-40904 - Chartbrew Cross-Project Data Access

Sigma YAML — free preview 
title: CVE-2026-40904 - Chartbrew Cross-Project Data Access
id: scw-2026-04-30-ai-1
status: experimental
level: high
description: |
  Detects attempts to access dataset or dataRequest endpoints in Chartbrew version 4.9.0. This rule specifically targets the vulnerability where low-privileged users can access data outside their assigned projects by exploiting the lack of proper authorization checks on dataset_id, dataRequest id, and connection_id. This is the primary indicator of the CVE-2026-40904 vulnerability being exploited.
author: SCW Feed Engine (AI-generated)
date: 2026-04-30
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-40904/
tags:
  - attack.defense_evasion
  - attack.t1078.004
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/api/v1/datasets/'
          - '/api/v1/dataRequests/'
      cs-method:
          - 'GET'
          - 'POST'
          - 'PUT'
          - 'DELETE'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40904 Auth Bypass Chartbrew versions <= 4.9.0
CVE-2026-40904 Information Disclosure Chartbrew versions <= 4.9.0, vulnerable endpoints: dataset, dataRequest
CVE-2026-40904 Privilege Escalation Chartbrew versions <= 4.9.0, allows low-privileged project members to access other projects' data

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 30, 2026 at 22:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7429 — The STL Processing Endpoint That Cross-Site Scripting (XSS)

CVE-2026-7429 — SSCMS v7.4.0 contains a reflected cross-site scripting vulnerability in the STL processing endpoint that allows attackers to execute arbitrary JavaScript by crafting malicious...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /MEDIUM /4.6 /⚑ 2 IOCs /⚙ 3 Sigma
Featured

Daily Security Digest — 2026-04-30

20 vulnerability disclosures (3 Critical, 17 High) and 16 curated intelligence stories from 5 sources.

daily-digestvulnerabilityCVEhigh-severityout-of-bounds-1cwe-125path-traversalcwe-23null-pointer-dereferencecwe-476
/SCW Daily Digest /CRITICAL

CVE-2026-7461: Amazon ECS Agent Vulnerability Allows SYSTEM Privilege Escalation

CVE-2026-7461 — Improper neutralization of inputs used in an OS command in the FSx Windows File Server volume mounting component in Amazon ECS Agent on...

vulnerabilityCVEhigh-severitycwe-78
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 4 IOCs /⚙ 3 Sigma