Mathesar Saved Exploration Access Vulnerability Allowing Unauthorized Read, Replace, or Delete Operations

A vulnerability in Mathesar versions 0.2.0 prior to 0.10.0 allows authenticated users to access, modify, or delete saved explorations in databases where they are not collaborators. The issue arises because certain RPC methods do not verify the user's collaboration status before performing actions based on the exploration ID. This vulnerability impacts the application's management of exploration definitions, including metadata and transformation details. However, it does not grant unauthorized access to database credentials or underlying PostgreSQL table data.

Impact

Exploitation of this vulnerability allows unauthorized users to read, replace, or delete saved explorations in non-collaborator databases, potentially leading to unauthorized modification or loss of exploration data.

Remediation

Users are advised to upgrade to Mathesar version 0.10.0 or later. For multi-user deployments, there is no complete workaround, but those where all users are mutually trusted are less exposed.