Skip to main content

Mathesar CVE-2026-44719

| EUVDEUVD-2026-30587 MEDIUM
Missing Authorization (CWE-862)
2026-05-15 GitHub_M
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 15, 2026 - 20:02 EUVD
Analysis Generated
May 15, 2026 - 19:36 vuln.today
CVSS changed
May 15, 2026 - 19:22 NVD
5.3 (MEDIUM)

DescriptionGitHub Advisory

Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, collaborators.list, tables.metadata.list, explorations.list, and forms.list accept a database_id without verifying that the requesting user was a collaborator on that database. An authenticated user on the same Mathesar installation could use these methods to view Mathesar-managed metadata for databases where they were not a collaborator. Depending on the database and features in use, exposed metadata could include collaborator mappings, table metadata, saved exploration metadata, and form metadata. For forms, the exposed metadata included form tokens. For public forms, possession of the token is equivalent to possession of the public form link, which allows submission to the form under the form’s configured PostgreSQL role. This vulnerability is fixed in 0.10.0.

AnalysisAI

Authenticated users in Mathesar 0.2.0 through 0.9.x can access metadata for PostgreSQL databases where they lack collaborator privileges, due to missing authorization checks in four API methods (collaborators.list, tables.metadata.list, explorations.list, forms.list). Exposed data includes table schemas, saved explorations, form configurations, and critically, public form submission tokens that grant unauthorized database write access under the form's PostgreSQL role. Fixed in version 0.10.0. CVSS 5.3 (Medium) reflects network-accessible, low-complexity exploitation requiring only basic authentication. No public exploit code or active exploitation detected (EPSS data unavailable, not in CISA KEV).

Technical ContextAI

Mathesar is a web application providing a user interface layer over PostgreSQL databases with role-based collaboration controls. The vulnerability stems from CWE-862 (Missing Authorization), where four API endpoints accept a database_id parameter but fail to verify the authenticated user's collaborator status for that database before returning metadata. This authorization bypass occurs at the application layer-Mathesar's middleware does not enforce its own collaboration model before querying PostgreSQL-managed data. The affected endpoints expose different metadata types: collaborators.list reveals user-to-database mappings, tables.metadata.list exposes table schemas and Mathesar annotations, explorations.list reveals saved query configurations, and forms.list returns form definitions including security-critical form tokens. For public forms, these tokens serve as bearer credentials enabling anonymous form submission with the privileges of the form's configured PostgreSQL role, potentially allowing data insertion or modification beyond the attacker's intended access scope.

RemediationAI

Upgrade to Mathesar version 0.10.0 or later, which implements proper authorization checks verifying collaborator status before returning database metadata from affected API endpoints. Download from the project's GitHub releases page at https://github.com/mathesar-foundation/mathesar/releases. For organizations unable to immediately upgrade, implement interim controls: restrict network access to the Mathesar installation to trusted networks only using firewall rules or reverse proxy authentication, limiting the pool of potential authenticated attackers. Audit existing user accounts and remove accounts that should not have any database access. Review form configurations and regenerate form tokens for public forms that handle sensitive data, then revoke previously issued tokens if the platform supports token rotation. Consider temporarily disabling public form features if form token exposure poses unacceptable risk. Monitor application logs for unusual API access patterns, specifically requests to collaborators.list, tables.metadata.list, explorations.list, or forms.list endpoints with database_id parameters for databases the requesting user should not access. Note that workarounds only reduce attack surface and do not eliminate the vulnerability-upgrading remains the definitive solution.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Share

CVE-2026-44719 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy