CVE-2026-40904
Published: 30 April 2026
Summary
CVE-2026-40904 is a high-severity Improper Access Control (CWE-284) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations for access to resources, directly mitigating the failure to bind dataset_id, dataRequest_id, and connection_id to the caller's specific projects.
AC-24 requires verifying access authorizations prior to allowing access to system resources, addressing the improper team-level authorization that permitted cross-project dataset and dataRequest operations.
AC-6 enforces least privilege, ensuring low-privileged project members cannot access or modify datasets and data requests from other projects in the same team.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper access control in web app endpoints allows authenticated low-priv users to read/create/update/delete cross-project datasets and data requests (and use associated DB/API connections), directly enabling exploitation of public-facing web application (T1190), data collection from information repositories (T1213), and stored data manipulation (T1565).
NVD Description
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes multiple dataset and dataRequest endpoints that authorize low-privileged project members at the team level…
more
instead of binding the requested dataset_id, dataRequest id, and connection_id to the caller's allowed projects. An authenticated attacker who only has access to one project inside a team can read, execute, create, update, and delete datasets and data requests that belong to other projects in the same team. The issue is exploitable remotely with ordinary project-level credentials and leads to cross-project data disclosure and unauthorized use of victim-side database or API connections. This issue has been patched in version 5.0.0.
Deeper analysisAI
CVE-2026-40904 affects Chartbrew, an open-source web application that connects directly to databases and APIs to create charts, specifically in version 4.9.0. The vulnerability stems from multiple dataset and dataRequest endpoints that improperly authorize low-privileged project members at the team level, rather than binding the requested dataset_id, dataRequest id, and connection_id to the caller's allowed projects. This authorization flaw, mapped to CWE-284 (Improper Access Control), carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts with no availability disruption.
An authenticated attacker with ordinary project-level credentials, granting access to just one project within a team, can remotely exploit this issue to read, execute, create, update, and delete datasets and data requests belonging to other projects in the same team. Exploitation requires no user interaction and low privileges, enabling cross-project data disclosure and unauthorized use of victim-side database or API connections tied to those projects.
The Chartbrew security advisory (GHSA-jq95-gqww-vhm3) and release notes for version 5.0.0 confirm that the issue has been patched, recommending immediate upgrade to v5.0.0 or later to enforce proper project-level authorization binding.
Details
- CWE(s)