Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
UNSUPPORTED WHEN ASSIGNED Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim's fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.
AnalysisAI
Focalboard 8.0 fails to validate file ownership during file serving, allowing authenticated attackers to read arbitrary uploaded files if they know the target fileID. The vulnerability affects all versions of the standalone Focalboard product, which is no longer maintained by Mattermost and will not receive security patches. An attacker with valid credentials can exploit this authorization bypass with no additional user interaction to access sensitive file contents.
Technical ContextAI
Focalboard is a self-hosted project management and collaboration platform maintained by Mattermost. The vulnerability exists in the file serving mechanism, which is governed by CWE-639 (Authorization Bypass Through User-Controlled Key), a weakness in access control logic. The affected product uses CPE designation cpe:2.3:a:mattermost:focalboard:*:*:*:*:*:*:*:*, indicating all versions are potentially vulnerable. The root cause is inadequate authorization checks when retrieving uploaded files-the application accepts a fileID parameter from authenticated users without verifying that the requesting user owns or has permission to access the specific file. This allows attackers to enumerate or discover fileIDs (through error messages, directory traversal, or prior knowledge) and retrieve files belonging to other users.
RemediationAI
No vendor-released patch exists for Focalboard standalone; Mattermost has stated that the product is unsupported and no fix will be issued. Organizations currently running standalone Focalboard should migrate to an actively maintained alternative or deploy Focalboard as an integrated plugin within Mattermost Server (if security patches are available in that distribution). As an interim mitigation, restrict file serving endpoints to authenticated users only and implement strict access controls at the network level to limit exposure; additionally, audit access logs and fileID usage patterns to detect unauthorized file enumeration attempts. No workaround exists within Focalboard itself to re-enable file ownership validation without code modification.
More in Focalboard
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18653
GHSA-vph7-r229-qxpf