5.3
/ 10
MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Description
Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, collaborators.list, tables.metadata.list, explorations.list, and forms.list accept a database_id without verifying that the requesting user was a collaborator on that database. An authenticated user on the same Mathesar installation could use these methods to view Mathesar-managed metadata for databases where they were not a collaborator. Depending on the database and features in use, exposed metadata could include collaborator mappings, table metadata, saved exploration metadata, and form metadata. For forms, the exposed metadata included form tokens. For public forms, possession of the token is equivalent to possession of the public form link, which allows submission to the form under the formβs configured PostgreSQL role. This vulnerability is fixed in 0.10.0.
Basic Information
ID
CVE-2026-44719
Source
GitHub_M
Published
May 15, 2026 at 18:24
Affected Product
Vendor
mathesar-foundation
Product
mathesar
Version
>= 0.2.0, < 0.10.0
Affected Versions
mathesar-foundation mathesar >= 0.2.0, < 0.10.0