CVE-2026-44718 - Vulnerability Details

- Mathesar: Missing collaborator checks allowed access to saved explorations in other databases

Description

Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, explorations.get, explorations.replace, and explorations.delete operate on an exploration_id without verifying that the requesting user was a collaborator on the exploration’s database. An authenticated user on the same Mathesar installation who knew or guessed an exploration ID could read, replace, or delete a saved exploration belonging to a database where they were not a collaborator. This affected Mathesar-managed saved exploration definitions, including names, descriptions, selected columns, display metadata, filters, sorting, and transformations. This vulnerability is fixed in 0.10.0.

Published: 2026-05-15

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an authenticated Mathesar user who is not a collaborator on a database to read, replace, or delete the definition of an exploration belonging to that database. The missing collaborator checks occur in the explorations.get, explorations.replace, and explorations.delete endpoints, meaning an attacker can disclose, alter, or erase metadata such as capitalized columns, filters, sorting, and transformation settings. This compromise enables partial data exposure and manipulation of user‑defined analytical configurations.

Affected Systems

Mathesar products from 0.2.0 through 0.9.x are affected; the issue is resolved starting with version 0.10.0. The affected vendor is Mathesar Foundation, and the product is Mathesar, a PostgreSQL–oriented web interface.

Risk and Exploitability

With a CVSS score of 5.3, the scenario is considered moderate severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation. The likely attack vector is internal; a malicious user must be authenticated to the same Mathesar installation and must discover or guess a valid exploration_id. Because the only permissive condition is the lack of collaborator verification, exploitation does not require elevated privileges beyond ordinary authentication, though it remains non‑trivial to discover the correct identifiers.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

mathesar-foundation

mathesar

affected

Version	Status	Constraints
`>= 0.2.0, < 0.10.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Mathesar to version 0.10.0 or later, which removes the missing authorization checks
If immediate upgrade is not possible, restrict exploration_id operations to only users who are collaborators on the target database through custom access‑control rules
Apply network segmentation or firewall rules to limit exposure of the Mathesar API surface to trusted users and monitor for anomalous exploration‑access activity

Generated by OpenCVE AI on May 15, 2026 at 20:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/mathesar-foundation/mathesar/security/advisories/GHSA-wf8r-g5rp-w69f

History

Fri, 15 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, explorations.get, explorations.replace, and explorations.delete operate on an exploration_id without verifying that the requesting user was a collaborator on the exploration’s database. An authenticated user on the same Mathesar installation who knew or guessed an exploration ID could read, replace, or delete a saved exploration belonging to a database where they were not a collaborator. This affected Mathesar-managed saved exploration definitions, including names, descriptions, selected columns, display metadata, filters, sorting, and transformations. This vulnerability is fixed in 0.10.0.
Title		Mathesar: Missing collaborator checks allowed access to saved explorations in other databases
Weaknesses		CWE-639 CWE-862
References		https://github.com/mathesar-foundation/mathesar/security/advisories/GHSA-wf8r-g5rp-w69f
Metrics		cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-15T18:23:10.517Z

Updated: 2026-05-15T18:23:10.517Z

Reserved: 2026-05-07T18:04:17.308Z

Link: CVE-2026-44718

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-15T19:17:00.590

Modified: 2026-05-15T19:17:00.590

Link: CVE-2026-44718

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-15T21:00:09Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object