Cyber Resilience

CVE-2026-40595

High

Published: 30 April 2026

Published
30 April 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0007 21.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40595 is a high-severity Improper Access Control (CWE-284) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-24 (Access Control Decisions).

Deeper analysis

CVE-2026-40595 affects Chartbrew, an open-source web application that connects directly to databases and APIs to generate charts from data. In version 4.9.0, the application exposes public routes for chart retrieval and export that perform incomplete access checks. These routes verify only project-level public access and, for exports, a team-level export toggle, but fail to confirm whether the specific target chart is included in the public report or permitted by the governing SharePolicy. This constitutes an improper access control vulnerability (CWE-284), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact.

An unauthenticated attacker can exploit this vulnerability if they know the identifier of a chart within a public project. By accessing the public retrieval or export routes, they can read or export sensitive chart data that administrators intentionally excluded from public reports, bypassing intended restrictions.

The issue has been addressed in Chartbrew version 5.0.0, as detailed in the project's release notes and GitHub security advisory GHSA-mq7q-6xh6-5649. Security practitioners should upgrade to version 5.0.0 or later to mitigate the vulnerability.

EU & UK References

Vulnerability details

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes public chart retrieval and export routes that only verify project-level public access and, for…

more

exports, a team-level export toggle. The routes do not verify whether the target chart is actually allowed on the public report or whether the governing SharePolicy permits public access. An unauthenticated attacker who knows a chart identifier in a public project can read or export chart data for charts that were intentionally hidden from the report. This issue has been patched in version 5.0.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an improper access control flaw in public routes of a public-facing web application (Chartbrew), directly enabling unauthenticated remote exploitation to access unauthorized data.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39339Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2025-26010Shared CWE-284
CVE-2026-34291Shared CWE-284
CVE-2023-47539Shared CWE-284
CVE-2026-23899Shared CWE-284
CVE-2025-7016Shared CWE-284
CVE-2026-46822Shared CWE-284
CVE-2024-37566Shared CWE-284
CVE-2026-30689Shared CWE-284

Affected Assets

In
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for accessing specific charts in public projects, directly addressing the incomplete verification of chart-level access and SharePolicy.

prevent

Controls designation and review of publicly accessible content, preventing exposure of intentionally hidden charts via public routes.

prevent

Ensures access control decisions for chart retrieval and export incorporate specific attributes like SharePolicy and report inclusion beyond project-level checks.

References