PT-2026-41352 · Mathesar · Mathesar
Published
2026-05-15
·
Updated
2026-05-15
·
CVE-2026-44719
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Mathesar versions 0.2.0 through 0.9.9
Description
An authenticated user can view managed metadata for databases where they are not a collaborator. This occurs because the endpoints 'collaborators.list', 'tables.metadata.list', 'explorations.list', and 'forms.list' accept the
database id variable without verifying the requesting user's collaborator status. Exposed metadata may include collaborator mappings, table metadata, saved exploration metadata, and form metadata. In the case of forms, the exposure of form tokens allows an attacker to submit data to public forms using the configured PostgreSQL role.Recommendations
Update to version 0.10.0.
Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mathesar