PT-2026-41352 · Mathesar · Mathesar

Published

2026-05-15

·

Updated

2026-05-15

·

CVE-2026-44719

CVSS v4.0

5.3

Medium

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Mathesar versions 0.2.0 through 0.9.9
Description An authenticated user can view managed metadata for databases where they are not a collaborator. This occurs because the endpoints 'collaborators.list', 'tables.metadata.list', 'explorations.list', and 'forms.list' accept the database id variable without verifying the requesting user's collaborator status. Exposed metadata may include collaborator mappings, table metadata, saved exploration metadata, and form metadata. In the case of forms, the exposure of form tokens allows an attacker to submit data to public forms using the configured PostgreSQL role.
Recommendations Update to version 0.10.0.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44719
GHSA-JH9V-HQW8-5CQ8

Affected Products

Mathesar