CVE-2026-28736: CWE-639: Authorization Bypass Through User-Controlled Key in Mattermost Focalboard
** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim's fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.
AI Analysis
Technical Summary
Mattermost Focalboard version 8.0 contains an authorization bypass vulnerability (CWE-639) due to improper validation of file ownership when serving uploaded files. An authenticated user with knowledge of another user's fileID can access that file's contents without proper authorization. The vulnerability has a CVSS 3.1 base score of 4.3, indicating medium severity. The product is no longer maintained as a standalone offering, and no patches or official fixes are available.
Potential Impact
An authenticated attacker can read files uploaded by other users if they know the fileID, potentially exposing sensitive information. There is no impact on integrity or availability reported. The vulnerability does not affect cloud-hosted services since Focalboard is a standalone product in this context.
Mitigation Recommendations
No official fix or patch is available because Focalboard as a standalone product is no longer maintained. Users should consider discontinuing use of the vulnerable version or migrating to alternative solutions. Restricting access to the application and limiting knowledge of fileIDs may reduce risk but do not fully mitigate the vulnerability. Monitor for any updates from Mattermost regarding this issue.
CVE-2026-28736: CWE-639: Authorization Bypass Through User-Controlled Key in Mattermost Focalboard
Description
** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim's fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Mattermost Focalboard version 8.0 contains an authorization bypass vulnerability (CWE-639) due to improper validation of file ownership when serving uploaded files. An authenticated user with knowledge of another user's fileID can access that file's contents without proper authorization. The vulnerability has a CVSS 3.1 base score of 4.3, indicating medium severity. The product is no longer maintained as a standalone offering, and no patches or official fixes are available.
Potential Impact
An authenticated attacker can read files uploaded by other users if they know the fileID, potentially exposing sensitive information. There is no impact on integrity or availability reported. The vulnerability does not affect cloud-hosted services since Focalboard is a standalone product in this context.
Mitigation Recommendations
No official fix or patch is available because Focalboard as a standalone product is no longer maintained. Users should consider discontinuing use of the vulnerable version or migrating to alternative solutions. Restricting access to the application and limiting knowledge of fileIDs may reduce risk but do not fully mitigate the vulnerability. Monitor for any updates from Mattermost regarding this issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Mattermost
- Date Reserved
- 2026-04-03T13:10:59.177Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69cfc47e0a160ebd922338cb
Added to database: 4/3/2026, 1:45:34 PM
Last enriched: 4/3/2026, 2:00:48 PM
Last updated: 4/3/2026, 10:28:28 PM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.