CVE-2026-40601 affects Chartbrew version 4.9.0, an open-source web application for creating charts from databases and APIs. The vulnerability exposes the POST /api/chart/:chart_id/query endpoint without proper authentication. The endpoint only checks team.allowReportRefresh but fails to verify if the target chart belongs to a public report, if the project is public, or if sharing policies allow the operation. An unauthenticated attacker who knows a chart identifier can trigger data refresh and retrieve current data from private charts. This represents a significant data exposure risk for private chart data. The issue has been patched in version 5.0.0.