CVE-2026-40601

Name of the Vulnerable Software and Affected Versions Chartbrew versions prior to 5.0.0

Description Chartbrew is an open-source web application used to create charts by connecting to databases and APIs. The application exposes the "POST /api/chart/:chart id/query" endpoint without authentication. The system only verifies the team.allowReportRefresh setting and fails to check if the target chart belongs to a public report, if the project is public, or if the sharing policy permits the operation. An unauthenticated attacker with a chart identifier can trigger a data refresh and retrieve current data from private charts.

Recommendations Update to version 5.0.0.