PatchSiren cyber security CVE debrief
CVE-2026-44718 mathesar-foundation CVE debrief
Mathesar versions 0.2.0 through 0.9.x contain an authorization bypass vulnerability in saved exploration management. The `explorations.get`, `explorations.replace`, and `explorations.delete` API endpoints accept an `exploration_id` parameter without validating whether the requesting user has collaborator access to the exploration's underlying database. An authenticated attacker with valid credentials on the same Mathesar instance can read, modify, or delete saved exploration definitions—including names, descriptions, column selections, display metadata, filters, sorting rules, and transformations—by guessing or obtaining a valid exploration identifier. The vulnerability stems from missing ownership/collaborator checks before executing these operations. This affects confidentiality, integrity, and availability of saved exploration data across database boundaries within a multi-tenant Mathesar deployment. The issue is resolved in version 0.10.0.
- Vendor
- mathesar-foundation
- Product
- mathesar
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-18
Who should care
Organizations running Mathesar 0.2.0-0.9.x in multi-user environments where database explorations contain sensitive query logic, business intelligence configurations, or proprietary data transformations. Particularly relevant for deployments with external user access or shared instances across organizational boundaries.
Technical summary
The vulnerability exists in three exploration management endpoints that fail to verify database collaborator status before executing read, replace, or delete operations. An `exploration_id` parameter is accepted and processed without authorization checks against the exploration's parent database ownership. This allows horizontal privilege escalation where authenticated users can affect resources outside their authorized scope. The fix in 0.10.0 adds proper collaborator verification before permitting any exploration modification or access operations.
Defensive priority
medium
Recommended defensive actions
- Upgrade Mathesar to version 0.10.0 or later to obtain the authorization fix
- Review saved exploration access logs for unauthorized access patterns by non-collaborator users
- Audit exploration IDs for unexpected modifications between 2026-05-15 and patch deployment
- Implement network segmentation to limit Mathesar instance access to authorized users only
- Monitor for anomalous API calls to exploration endpoints from users without database collaborator status
Evidence notes
Vulnerability confirmed via GitHub Security Advisory GHSA-wf8r-g5rp-w69f. CVSS 4.0 vector indicates network attack vector, low attack complexity, low privileges required, no user interaction, with low impacts to confidentiality, integrity, and availability. CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-862 (Missing Authorization) identified as root causes.
Official resources
-
CVE-2026-44718 CVE record
CVE.org
-
CVE-2026-44718 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-15