CVE-2026-44719: CWE-862: Missing Authorization in mathesar-foundation mathesar
Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, collaborators.list, tables.metadata.list, explorations.list, and forms.list accept a database_id without verifying that the requesting user was a collaborator on that database. An authenticated user on the same Mathesar installation could use these methods to view Mathesar-managed metadata for databases where they were not a collaborator. Depending on the database and features in use, exposed metadata could include collaborator mappings, table metadata, saved exploration metadata, and form metadata. For forms, the exposed metadata included form tokens. For public forms, possession of the token is equivalent to possession of the public form link, which allows submission to the form under the form’s configured PostgreSQL role. This vulnerability is fixed in 0.10.0.
AI Analysis
Technical Summary
CVE-2026-44719 is a missing authorization vulnerability (CWE-862) in the Mathesar web application affecting versions >= 0.2.0 and < 0.10.0. Several API methods (collaborators.list, tables.metadata.list, explorations.list, forms.list) accept a database_id parameter without verifying that the requesting user is a collaborator on that database. This allows an authenticated user to view metadata for databases they do not have permission to access. The exposed metadata can include collaborator mappings, table metadata, saved exploration metadata, and form metadata, including form tokens. For public forms, possession of the token is equivalent to having the public form link, enabling submissions under the form's PostgreSQL role. The vulnerability is addressed in Mathesar version 0.10.0.
Potential Impact
An authenticated user on the same Mathesar installation can access metadata of databases they are not authorized to view. This includes sensitive information such as collaborator mappings and form tokens. For public forms, this can lead to unauthorized form submissions under the configured PostgreSQL role. The impact is unauthorized disclosure of metadata and potential misuse of form submission privileges.
Mitigation Recommendations
This vulnerability is fixed in Mathesar version 0.10.0. Users should upgrade to version 0.10.0 or later to remediate this issue. Patch status is not explicitly stated beyond the fix in 0.10.0, so users should verify upgrade availability and apply the official fix. No other mitigation or temporary workaround is indicated.
CVE-2026-44719: CWE-862: Missing Authorization in mathesar-foundation mathesar
Description
Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, collaborators.list, tables.metadata.list, explorations.list, and forms.list accept a database_id without verifying that the requesting user was a collaborator on that database. An authenticated user on the same Mathesar installation could use these methods to view Mathesar-managed metadata for databases where they were not a collaborator. Depending on the database and features in use, exposed metadata could include collaborator mappings, table metadata, saved exploration metadata, and form metadata. For forms, the exposed metadata included form tokens. For public forms, possession of the token is equivalent to possession of the public form link, which allows submission to the form under the form’s configured PostgreSQL role. This vulnerability is fixed in 0.10.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-44719 is a missing authorization vulnerability (CWE-862) in the Mathesar web application affecting versions >= 0.2.0 and < 0.10.0. Several API methods (collaborators.list, tables.metadata.list, explorations.list, forms.list) accept a database_id parameter without verifying that the requesting user is a collaborator on that database. This allows an authenticated user to view metadata for databases they do not have permission to access. The exposed metadata can include collaborator mappings, table metadata, saved exploration metadata, and form metadata, including form tokens. For public forms, possession of the token is equivalent to having the public form link, enabling submissions under the form's PostgreSQL role. The vulnerability is addressed in Mathesar version 0.10.0.
Potential Impact
An authenticated user on the same Mathesar installation can access metadata of databases they are not authorized to view. This includes sensitive information such as collaborator mappings and form tokens. For public forms, this can lead to unauthorized form submissions under the configured PostgreSQL role. The impact is unauthorized disclosure of metadata and potential misuse of form submission privileges.
Mitigation Recommendations
This vulnerability is fixed in Mathesar version 0.10.0. Users should upgrade to version 0.10.0 or later to remediate this issue. Patch status is not explicitly stated beyond the fix in 0.10.0, so users should verify upgrade availability and apply the official fix. No other mitigation or temporary workaround is indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-07T18:04:17.308Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a076ec1ec166c07b08309fe
Added to database: 5/15/2026, 7:06:41 PM
Last enriched: 5/15/2026, 7:23:41 PM
Last updated: 5/16/2026, 6:26:50 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.