CVE-2026-40600

Name of the Vulnerable Software and Affected Versions Chartbrew version 4.9.0

Description Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record belonging to a different project. The application authorizes the caller based on the project in the URL path but fails to verify if the policy id belongs to that specific project. This enables cross-project modification of dashboard sharing rules, including visibility, password requirements, allowed parameters, and expiration settings.

Recommendations Update to version 5.0.0.