CVE-2026-44719— Mathesar: Missing collaborator checks allowed access to database-scoped Mathesar metadata

Mathesar: Missing collaborator checks allowed access to database-scoped Mathesar metadata

Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, collaborators.list, tables.metadata.list, explorations.list, and forms.list accept a database_id without verifying that the requesting user was a collaborator on that database. An authenticated user on the same Mathesar installation could use these methods to view Mathesar-managed metadata for databases where they were not a collaborator. Depending on the database and features in use, exposed metadata could include collaborator mappings, table metadata, saved exploration metadata, and form metadata. For forms, the exposed metadata included form tokens. For public forms, possession of the token is equivalent to possession of the public form link, which allows submission to the form under the form’s configured PostgreSQL role. This vulnerability is fixed in 0.10.0.

N/A

授权机制缺失

Mathesar 安全漏洞

Mathesar是Mathesar Foundation开源的一个无需编码的PostgreSQL数据协作与编辑工具。 Mathesar 0.2.0版本至0.10.0之前版本存在安全漏洞，该漏洞源于未验证请求用户是否为数据库协作者，可能导致已认证用户查看不属于其协作者角色的元数据，包括协作者映射、表元数据、探索元数据和表单元数据。

N/A

N/A