Primary

Context

Mathesar Missing Database Authorization Vulnerability Allowing Unauthorized Metadata Access

Vulnerability

A vulnerability in Mathesar versions 0.2.0 prior to 0.10.0 allows authenticated users to access database-specific metadata without proper authorization. The issue arises in several RPC methods that accept a database ID without verifying if the user is a collaborator. This flaw could lead to unauthorized exposure of collaborator mappings, table metadata, saved exploration metadata, and form metadata, including sensitive form tokens for public forms, which could be used to submit responses under certain PostgreSQL roles.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive database metadata, including collaborator information, form tokens for public forms, and other Mathesar-managed data, depending on the features in use.

Remediation

Users are advised to upgrade to Mathesar version 0.10.0 or later. For deployments where all Mathesar users are mutually trusted, the vulnerability exposure is reduced.

Added: May 15, 2026, 7:39 PM

Updated: May 15, 2026, 7:39 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

5.2

remediation

0.0

relevance

8.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

5.2

remediation

0.0

relevance

8.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mathesar Missing Database Authorization Vulnerability Allowing Unauthorized Metadata Access

Vulnerability

Impact

Remediation

Affected Products

Mathesar

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating