CVE-2026-40595
Published: 30 April 2026
Summary
CVE-2026-40595 is a high-severity Improper Access Control (CWE-284) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-24 (Access Control Decisions).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for accessing specific charts in public projects, directly addressing the incomplete verification of chart-level access and SharePolicy.
Controls designation and review of publicly accessible content, preventing exposure of intentionally hidden charts via public routes.
Ensures access control decisions for chart retrieval and export incorporate specific attributes like SharePolicy and report inclusion beyond project-level checks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an improper access control flaw in public routes of a public-facing web application (Chartbrew), directly enabling unauthenticated remote exploitation to access unauthorized data.
NVD Description
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes public chart retrieval and export routes that only verify project-level public access and, for…
more
exports, a team-level export toggle. The routes do not verify whether the target chart is actually allowed on the public report or whether the governing SharePolicy permits public access. An unauthenticated attacker who knows a chart identifier in a public project can read or export chart data for charts that were intentionally hidden from the report. This issue has been patched in version 5.0.0.
Deeper analysisAI
CVE-2026-40595 affects Chartbrew, an open-source web application that connects directly to databases and APIs to generate charts from data. In version 4.9.0, the application exposes public routes for chart retrieval and export that perform incomplete access checks. These routes verify only project-level public access and, for exports, a team-level export toggle, but fail to confirm whether the specific target chart is included in the public report or permitted by the governing SharePolicy. This constitutes an improper access control vulnerability (CWE-284), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact.
An unauthenticated attacker can exploit this vulnerability if they know the identifier of a chart within a public project. By accessing the public retrieval or export routes, they can read or export sensitive chart data that administrators intentionally excluded from public reports, bypassing intended restrictions.
The issue has been addressed in Chartbrew version 5.0.0, as detailed in the project's release notes and GitHub security advisory GHSA-mq7q-6xh6-5649. Security practitioners should upgrade to version 5.0.0 or later to mitigate the vulnerability.
Details
- CWE(s)