CVE-2026-44718— Mathesar: Missing collaborator checks allowed access to saved explorations in other databases
Possible ATT&CK Techniques 2AI
T1059 · Command and Scripting Interpreter T1005 · Data from Local SystemAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| mathesar-foundation | mathesar | >= 0.2.0, < 0.10.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44718
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Mathesar: Missing collaborator checks allowed access to saved explorations in other databases
Source: NVD (National Vulnerability Database)
Vulnerability Description
Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, explorations.get, explorations.replace, and explorations.delete operate on an exploration_id without verifying that the requesting user was a collaborator on the exploration’s database. An authenticated user on the same Mathesar installation who knew or guessed an exploration ID could read, replace, or delete a saved exploration belonging to a database where they were not a collaborator. This affected Mathesar-managed saved exploration definitions, including names, descriptions, selected columns, display metadata, filters, sorting, and transformations. This vulnerability is fixed in 0.10.0.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过用户控制密钥绕过授权机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
Mathesar 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Mathesar是Mathesar Foundation开源的一个无需编码的PostgreSQL数据协作与编辑工具。 Mathesar 0.2.0版本至0.10.0之前版本存在安全漏洞,该漏洞源于未验证请求用户是否为数据库协作者,可能导致已认证用户读取、替换或删除不属于其协作者角色的探索定义。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| mathesar-foundation | mathesar | >= 0.2.0, < 0.10.0 | - |
II. Public POCs for CVE-2026-44718
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44718
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same weakness: CWE-639
- CVE-2026-9136
Unauthorized ShadowAttribute modification in MISP via client - CVE-2026-9087
Keycloak: cross-session email verification proof not bound t - CVE-2026-47068
Cross-session PubSub topic injection via URL parameter in ph - CVE-2026-6566
Photo Gallery, Sliders, Proofing and Themes <= 4.2.0 - Insec - CVE-2026-6072
Oliver POS <= 2.4.2.6 - Unauthenticated Authorization Bypass
V. Comments for CVE-2026-44718
No comments yet