Skip to main content

Focalboard EUVDEUVD-2026-18653

| CVE-2026-28736 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-03 Mattermost GHSA-vph7-r229-qxpf
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 03, 2026 - 13:45 euvd
EUVD-2026-18653
Analysis Generated
Apr 03, 2026 - 13:45 vuln.today
CVE Published
Apr 03, 2026 - 13:25 nvd
MEDIUM 4.3

DescriptionCVE.org

UNSUPPORTED WHEN ASSIGNED Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim's fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.

AnalysisAI

Focalboard 8.0 fails to validate file ownership during file serving, allowing authenticated attackers to read arbitrary uploaded files if they know the target fileID. The vulnerability affects all versions of the standalone Focalboard product, which is no longer maintained by Mattermost and will not receive security patches. An attacker with valid credentials can exploit this authorization bypass with no additional user interaction to access sensitive file contents.

Technical ContextAI

Focalboard is a self-hosted project management and collaboration platform maintained by Mattermost. The vulnerability exists in the file serving mechanism, which is governed by CWE-639 (Authorization Bypass Through User-Controlled Key), a weakness in access control logic. The affected product uses CPE designation cpe:2.3:a:mattermost:focalboard:*:*:*:*:*:*:*:*, indicating all versions are potentially vulnerable. The root cause is inadequate authorization checks when retrieving uploaded files-the application accepts a fileID parameter from authenticated users without verifying that the requesting user owns or has permission to access the specific file. This allows attackers to enumerate or discover fileIDs (through error messages, directory traversal, or prior knowledge) and retrieve files belonging to other users.

RemediationAI

No vendor-released patch exists for Focalboard standalone; Mattermost has stated that the product is unsupported and no fix will be issued. Organizations currently running standalone Focalboard should migrate to an actively maintained alternative or deploy Focalboard as an integrated plugin within Mattermost Server (if security patches are available in that distribution). As an interim mitigation, restrict file serving endpoints to authenticated users only and implement strict access controls at the network level to limit exposure; additionally, audit access logs and fileID usage patterns to detect unauthorized file enumeration attempts. No workaround exists within Focalboard itself to re-enable file ownership validation without code modification.

Share

EUVD-2026-18653 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy