Description
** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim's fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.
Published: 2026-04-03
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Cross‑User File Disclosure via IDOR
Action: Replace or Mitigate
AI Analysis

Impact

The vulnerability resides in Focalboard version 8.0, where the file content endpoint fails to verify that the requesting user owns the file. An authenticated user who knows another user’s file ID can download that file, exposing confidential information. This represents an Insecure Direct Object Reference (IDOR) that allows the disclosure of data but does not grant code execution or system compromise.

Affected Systems

Mattermost’s standalone Focalboard product, specifically version 8.0, is affected. The product is currently unsupported and no fix will be issued, meaning the flaw remains unpatched in any existing installations.

Risk and Exploitability

With a CVSS score of 4.3, the flaw carries moderate severity and poses a moderate risk to confidentiality. The Exploit Predictability Score (EPSS) is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploitation yet. An attacker requires authenticated access to the system and knowledge of file IDs, limiting exploitation to internal or compromised users rather than remote attackers.

Generated by OpenCVE AI on April 3, 2026 at 16:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Remove or disable the unsupported Focalboard installation if it is not required for business operations.
  • If removal is not feasible, restrict file upload and download permissions to a minimal set of trusted administrators.
  • Apply network segmentation to isolate the Focalboard environment from sensitive internal resources.
  • Monitor access logs for unexpected file download activity and investigate anomalies.
  • Consider migrating to a maintained alternative if ongoing use of Focalboard is necessary.

Generated by OpenCVE AI on April 3, 2026 at 16:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vph7-r229-qxpf Focalboard doesn't validate file ownership when serving uploaded files
History

Tue, 28 Apr 2026 00:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mattermost:focalboard:8.0.0:*:*:*:*:*:*:*

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost focalboard
Vendors & Products Mattermost
Mattermost focalboard

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Description ** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim's fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.
Title Focalboard IDOR in file content endpoint allows cross-user file access (unsupported product, no fix)
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Mattermost Focalboard
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-04-03T14:54:37.869Z

Reserved: 2026-04-03T13:10:59.177Z

Link: CVE-2026-28736

cve-icon Vulnrichment

Updated: 2026-04-03T14:54:21.095Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T14:16:29.517

Modified: 2026-04-28T00:19:54.037

Link: CVE-2026-28736

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:16:27Z

Weaknesses