Vulnerability Description
Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, collaborators.list, tables.metadata.list, explorations.list, and forms.list accept a database_id without verifying that the requesting user was a collaborator on that database. An authenticated user on the same Mathesar installation could use these methods to view Mathesar-managed metadata for databases where they were not a collaborator. Depending on the database and features in use, exposed metadata could include collaborator mappings, table metadata, saved exploration metadata, and form metadata. For forms, the exposed metadata included form tokens. For public forms, possession of the token is equivalent to possession of the public form link, which allows submission to the form under the form’s configured PostgreSQL role. This vulnerability is fixed in 0.10.0.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-44719?
CVE-2026-44719 is a documented vulnerability. Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, collaborators.list, tables.metadata.list, explorations.list, and forms...
How severe is CVE-2026-44719?
CVSS scoring is not yet available for CVE-2026-44719. Check NVD for updates.
Is there a patch for CVE-2026-44719?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.