CVE-2026-40904

Name of the Vulnerable Software and Affected Versions Chartbrew versions prior to 5.0.0

Description Chartbrew exposes multiple 'dataset' and 'dataRequest' endpoints that authorize low-privileged project members at the team level. The system fails to bind the requested dataset id, dataRequest id, and connection id to the projects allowed for the caller. This allows an authenticated attacker with access to a single project within a team to read, execute, create, update, and delete datasets and data requests belonging to other projects in the same team. This leads to cross-project data disclosure and unauthorized use of database or API connections.

Recommendations Update to version 5.0.0.