PatchSiren cyber security CVE debrief
CVE-2026-44719 mathesar-foundation CVE debrief
CVE-2026-44719 is a medium-severity authorization bypass in Mathesar, a web application for PostgreSQL database management. From version 0.2.0 through versions before 0.10.0, four API endpoints—`collaborators.list`, `tables.metadata.list`, `explorations.list`, and `forms.list`—failed to verify that the requesting user was a collaborator on the specified `database_id`. This allowed any authenticated user on the same Mathesar instance to retrieve metadata for databases where they lacked authorization. Exposed metadata varied by endpoint: collaborator mappings, table metadata, saved exploration metadata, and form metadata. For forms specifically, the exposed metadata included form tokens; for public forms, possession of this token grants equivalent access to the public form link, enabling form submission under the configured PostgreSQL role. The vulnerability was published on 2026-05-15 and last modified on 2026-05-18. It is classified under CWE-862 (Missing Authorization) and carries a CVSS 4.0 score of 5.3 (Medium). The issue is resolved in Mathesar 0.10.0.
- Vendor
- mathesar-foundation
- Product
- mathesar
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-18
Who should care
Organizations running Mathesar versions 0.2.0 through 0.9.x with multiple users and databases, particularly those using public forms where token exposure could enable unauthorized submissions.
Technical summary
The vulnerability stems from missing authorization checks on four list endpoints that accept a `database_id` parameter. The endpoints `collaborators.list`, `tables.metadata.list`, `explorations.list`, and `forms.list` in Mathesar versions 0.2.0 through 0.9.x fail to validate that the authenticated user has collaborator status on the requested database. This allows horizontal privilege escalation where any authenticated user can enumerate metadata across databases on the same instance. The `forms.list` endpoint presents elevated risk as it exposes form tokens, which for public forms serve as capability tokens equivalent to the public submission link. The vulnerability is classified as CWE-862 (Missing Authorization) with a CVSS 4.0 base score of 5.3 (Medium severity, Low confidentiality impact). Remediation requires upgrading to Mathesar 0.10.0 where proper authorization checks are implemented.
Defensive priority
medium
Recommended defensive actions
- Upgrade Mathesar to version 0.10.0 or later to remediate this authorization bypass vulnerability.
- Review access logs for unauthorized `database_id` queries to `collaborators.list`, `tables.metadata.list`, `explorations.list`, and `forms.list` endpoints prior to upgrade.
- Rotate form tokens for any public forms if unauthorized metadata access is suspected.
- Verify that only expected users have collaborator access to sensitive databases after upgrade.
Evidence notes
Vulnerability description and affected versions derived from official CVE record and GitHub Security Advisory. CVSS vector and CWE classification sourced from NVD entry. Fix version confirmed in advisory.
Official resources
-
CVE-2026-44719 CVE record
CVE.org
-
CVE-2026-44719 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-15