CVE-2026-44718

UNKNOWN 0.0

Mathesar: Missing collaborator checks allowed access to saved explorations in other databases

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, explorations.get, explorations.replace, and explorations.delete operate on an exploration_id without verifying that the requesting user was a collaborator on the exploration’s database. An authenticated user on the same Mathesar installation who knew or guessed an exploration ID could read, replace, or delete a saved exploration belonging to a database where they were not a collaborator. This affected Mathesar-managed saved exploration definitions, including names, descriptions, selected columns, display metadata, filters, sorting, and transformations. This vulnerability is fixed in 0.10.0.

CWE	CWE-639 CWE-862
Vendor	mathesar-foundation
Product	mathesar
Published	May 15, 2026

Stay Ahead of the Next One

Get instant alerts for mathesar-foundation mathesar

Be the first to know when new unknown vulnerabilities affecting mathesar-foundation mathesar are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

mathesar-foundation / mathesar

>= 0.2.0, < 0.10.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/mathesar-foundation/mathesar/security/advisories/GHSA-wf8r-g5rp-w69f