Cross-Project Modification Vulnerability in Chartbrew Open-Source Application
CVE-2026-40600

8.1HIGH

Key Information:

Vendor: Chartbrew
Status: Chartbrew
Vendor: CVE Published:; 30 April 2026

What is CVE-2026-40600?

In version 4.9.0 of Chartbrew, a significant flaw allows authenticated users to modify or delete SharePolicy records across different projects. While the system verifies user permissions based on the project specified in the URL path, it fails to confirm if the referenced policy_id corresponds to the appropriate project. This oversight enables users to inappropriately alter sharing rules, impacting visibility, password enforcement, parameter settings, and expiration details for dashboards. The vulnerability has been addressed in version 5.0.0, ensuring better policy management and security against misuse.

Affected Version(s)

chartbrew = 4.9.0

References

https://github.com/chartbrew/chartbrew/security/advisorie...

x_refsource_CONFIRM

https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 30, 2026
Vulnerability Reserved
Apr 14, 2026

CVE-2026-40600 Data

JSON