Vulnerability Description
Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, explorations.get, explorations.replace, and explorations.delete operate on an exploration_id without verifying that the requesting user was a collaborator on the exploration’s database. An authenticated user on the same Mathesar installation who knew or guessed an exploration ID could read, replace, or delete a saved exploration belonging to a database where they were not a collaborator. This affected Mathesar-managed saved exploration definitions, including names, descriptions, selected columns, display metadata, filters, sorting, and transformations. This vulnerability is fixed in 0.10.0.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-44718?
CVE-2026-44718 is a documented vulnerability. Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, explorations.get, explorations.replace, and explorations.delete operat...
How severe is CVE-2026-44718?
CVSS scoring is not yet available for CVE-2026-44718. Check NVD for updates.
Is there a patch for CVE-2026-44718?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.