CVE-2026-44719 is a medium-severity authorization bypass in Mathesar, a web application for PostgreSQL database management. From version 0.2.0 through versions before 0.10.0, four API endpoints—`collaborators.list`, `tables.metadata.list`, `explorations.list`, and `forms.list`—failed to verify that the requesting user was a collaborator on the specified `database_id`. This allowed any authenticated user o [truncated]
Mathesar versions 0.2.0 through 0.9.x contain an authorization bypass vulnerability in saved exploration management. The `explorations.get`, `explorations.replace`, and `explorations.delete` API endpoints accept an `exploration_id` parameter without validating whether the requesting user has collaborator access to the exploration's underlying database. An authenticated attacker with valid credentials on t [truncated]
