Chartbrew 4.9.0 exposes private chart data without authentication
TL;DR - In chartbrew 4.9.0, POST /api/chart/:chart_id/query requires no authentication. Know a chart_id, have team.allowReportRefresh enabled, and you can force a refresh and read private chart data. Patched in v5.0.0.
What happened
chartbrew is an open-source dashboard builder that connects to databases and external APIs. CVE-2026-40601 is a missing-authorization flaw (CWE-862): the endpoint POST /api/chart/:chart_id/query is fully unauthenticated in version 4.9.0.
The handler gates on a single team-wide toggle - team.allowReportRefresh - and nothing else. It does not check whether the chart belongs to a public report, whether the project is public, or whether any sharing policy permits the operation. An attacker who can guess or enumerate a chart_id sends one unauthenticated POST and gets back a refreshed chart object with current data.
This is a clean data-exfil path. Chartbrew typically sits in front of high-value datasets and API connections. That makes bypassing its access controls consequential beyond just the chart contents themselves.
| Item | Detail |
|---|---|
| Affected component | POST /api/chart/:chart_id/query |
| Affected version | 4.9.0 |
| Severity | CVSS 3.1 7.5 (High) |
| Weakness | CWE-862 Missing Authorization |
| Patched version | v5.0.0 |
Who is impacted
- Deployments running
chartbrew4.9.0. - Highest risk where the Chartbrew API is reachable from untrusted networks.
- Exploit requires
team.allowReportRefreshto be enabled on the target team.
What to do now
- Upgrade to
v5.0.0, which patches this issue."This issue has been patched in version 5.0.0."
- Confirm whether you are running
4.9.0- check lockfiles, container images, and deployed artifacts. - If you cannot patch immediately:
- block unauthenticated access to
/api/chart/*/queryat the network edge - audit which teams have
allowReportRefreshenabled, and disable it where it is not strictly needed for sensitive charts
- block unauthenticated access to
- Treat this as a potential data exposure event:
- review access logs for unexpected
POSTrequests to/api/chart/:chart_id/query - if you find evidence of unauthorised access, scope the downstream data sources and credentials that Chartbrew can reach in your environment and rotate accordingly
- review access logs for unexpected
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.