Home / Vulnerability Intelligence / CVE-2026-40904

CVE-2026-40904 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: April 30, 2026

Chartbrew - Broken Access Control

Published: April 30, 2026Updated: April 30, 2026Remote Exploitable

Overview

Chartbrew 4.9.0 contains a broken access control caused by improper authorization of dataset and dataRequest endpoints, letting authenticated low-privileged project members access and modify data across projects in the same team, exploit requires attacker to have project-level credentials.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Attackers can read, modify, and delete data across projects, leading to data disclosure and unauthorized use of database or API connections.

Mitigation

Upgrade to version 5.0.0 or later.

References

https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0
https://github.com/chartbrew/chartbrew/security/advisories/GHSA-jq95-gqww-vhm3

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-40904
Severity: High
CVSS Score: 8.1
Type: broken_access_control
Status: new

CWE

CWE-284

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N