CVE-2026-40600
Published: 30 April 2026
Summary
CVE-2026-40600 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations including verification that policy_id belongs to the project in the URL path, directly preventing cross-project unauthorized modifications of SharePolicy records.
Limits authenticated users to least privilege access within their own projects, reducing the scope and impact of authorization bypass attempts on other projects' resources.
Generates audit records for SharePolicy update and delete events including user, project, and policy_id, enabling detection of anomalous cross-project modifications.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in public-facing web app (Chartbrew) directly enables remote exploitation of the application to modify cross-project sharing policies.
NVD Description
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record…
more
that belongs to a different project. The affected routes authorize the caller against the project in the URL path, but they never verify that policy_id belongs to that project. This permits cross-project modification of dashboard sharing rules, including visibility, password requirements, allowed parameters, and expiration settings. This issue has been patched in version 5.0.0.
Deeper analysisAI
CVE-2026-40600 is an authorization bypass vulnerability in Chartbrew, an open-source web application for connecting to databases and APIs to create charts from data. In version 4.9.0, the affected routes for updating or deleting SharePolicy records authorize the caller based solely on the project specified in the URL path, without verifying that the policy_id belongs to that project. This flaw, classified under CWE-639 (Authorization Bypass Through User-Controlled Key), enables cross-project modification of dashboard sharing rules, such as visibility, password requirements, allowed parameters, and expiration settings. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its potential for confidentiality and integrity impacts.
An attacker with low-privilege authenticated access to any project can exploit this issue remotely over the network with low complexity and no user interaction required. By targeting SharePolicy endpoints with a mismatched policy_id from another project, the attacker can arbitrarily update or delete sharing configurations for dashboards they do not own, potentially exposing sensitive data visualizations to unauthorized viewers or altering access controls in ways that evade intended restrictions.
The Chartbrew security advisory (GHSA-pq8h-2h99-39xm) and release notes for version 5.0.0 confirm that the issue has been patched by adding proper verification of policy ownership against the project. Security practitioners should upgrade to Chartbrew 5.0.0 or later and review existing SharePolicies for unauthorized changes in multi-project environments.
Details
- CWE(s)