CVE-2026-44719 - Vulnerability Details

- Mathesar: Missing collaborator checks allowed access to database-scoped Mathesar metadata

Description

Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, collaborators.list, tables.metadata.list, explorations.list, and forms.list accept a database_id without verifying that the requesting user was a collaborator on that database. An authenticated user on the same Mathesar installation could use these methods to view Mathesar-managed metadata for databases where they were not a collaborator. Depending on the database and features in use, exposed metadata could include collaborator mappings, table metadata, saved exploration metadata, and form metadata. For forms, the exposed metadata included form tokens. For public forms, possession of the token is equivalent to possession of the public form link, which allows submission to the form under the form’s configured PostgreSQL role. This vulnerability is fixed in 0.10.0.

Published: 2026-05-15

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Missing collaborator checks in Mathesar 0.2.0 through 0.9.x allow an authenticated user to request database‑level metadata for databases where they are not collaborators. The endpoints collaborators.list, tables.metadata.list, explorations.list, and forms.list accept a database_id without verifying collaborator status. Exposed metadata can include collaborator mappings, table metadata, saved exploration data, and form metadata. For public forms, the metadata also contains form tokens, which are equivalent to public form links and enable form submission under the configured PostgreSQL role.

Affected Systems

The vulnerability affects the Mathesar web application provided by mathesar-foundation. Versions from 0.2.0 up to, but not including, 0.10.0 are susceptible. Version 0.10.0 and later contain the fix.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widely published exploits yet. Because the bug requires an authenticated session, the likely attack vector involves an existing user exploiting allowed API calls to retrieve metadata that should be restricted to collaborators.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

mathesar-foundation

mathesar

affected

Version	Status	Constraints
`>= 0.2.0, < 0.10.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Mathesar to version 0.10.0 or later.
If upgrade cannot occur immediately, revoke or invalidate form tokens in public forms and restrict public form usage.
Audit collaborator permissions and ensure that only authorized users have access to database metadata.

Generated by OpenCVE AI on May 15, 2026 at 20:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/mathesar-foundation/mathesar/security/advisories/GHSA-jh9v-hqw8-5cq8

History

Fri, 15 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, collaborators.list, tables.metadata.list, explorations.list, and forms.list accept a database_id without verifying that the requesting user was a collaborator on that database. An authenticated user on the same Mathesar installation could use these methods to view Mathesar-managed metadata for databases where they were not a collaborator. Depending on the database and features in use, exposed metadata could include collaborator mappings, table metadata, saved exploration metadata, and form metadata. For forms, the exposed metadata included form tokens. For public forms, possession of the token is equivalent to possession of the public form link, which allows submission to the form under the form’s configured PostgreSQL role. This vulnerability is fixed in 0.10.0.
Title		Mathesar: Missing collaborator checks allowed access to database-scoped Mathesar metadata
Weaknesses		CWE-862
References		https://github.com/mathesar-foundation/mathesar/security/advisories/GHSA-jh9v-hqw8-5cq8
Metrics		cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-15T18:24:55.012Z

Updated: 2026-05-15T19:57:46.104Z

Reserved: 2026-05-07T18:04:17.308Z

Link: CVE-2026-44719

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-15T19:17:00.757

Modified: 2026-05-15T19:17:00.757

Link: CVE-2026-44719

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-15T21:00:09Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object