CVE-2026-44719
Mathesar: Missing collaborator checks allowed access to database-scoped Mathesar metadata
Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, collaborators.list, tables.metadata.list, explorations.list, and forms.list accept a database_id without verifying that the requesting user was a collaborator on that database. An authenticated user on the same Mathesar installation could use these methods to view Mathesar-managed metadata for databases where they were not a collaborator. Depending on the database and features in use, exposed metadata could include collaborator mappings, table metadata, saved exploration metadata, and form metadata. For forms, the exposed metadata included form tokens. For public forms, possession of the token is equivalent to possession of the public form link, which allows submission to the form under the formβs configured PostgreSQL role. This vulnerability is fixed in 0.10.0.
| CWE | CWE-862 |
| Vendor | mathesar-foundation |
| Product | mathesar |
| Published | May 15, 2026 |
| Last Updated | May 15, 2026 |
Get instant alerts for mathesar-foundation mathesar
Be the first to know when new unknown vulnerabilities affecting mathesar-foundation mathesar are published β delivered to Slack, Telegram or Discord.