CVE-2026-28736
Insecure File Access in Focalboard 8.0 Allows Unauthorized Reading
Publication date: 2026-04-03
Last updated on: 2026-04-28
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | focalboard | 8.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
Focalboard version 8.0 has a vulnerability where it fails to validate file ownership when serving uploaded files. This means that an authenticated attacker who knows the fileID of a victim's file can read the content of that file without proper authorization.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to access and read files belonging to other users if they know the fileID. This can lead to unauthorized disclosure of potentially sensitive or confidential information.
What immediate steps should I take to mitigate this vulnerability?
Focalboard as a standalone product is not maintained and no fix will be issued for this vulnerability.
Given this, immediate mitigation steps are limited. It is recommended to restrict authenticated user access to file IDs and monitor for unauthorized file access attempts.