{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28736", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "state": "PUBLISHED", "assignerShortName": "Mattermost", "dateReserved": "2026-04-03T13:10:59.177Z", "datePublished": "2026-04-03T13:25:53.399Z", "dateUpdated": "2026-04-03T14:54:37.869Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Focalboard", "vendor": "Mattermost", "versions": [{"lessThanOrEqual": "8.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Siam Thanat Hack Company Limited"}], "descriptions": [{"lang": "en", "value": "** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim's fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued."}], "tags": ["unsupported-when-assigned"], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseSeverity": "MEDIUM", "baseScore": 4.3}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639"}]}], "references": [{"url": "https://github.com/mattermost-community/focalboard", "name": "Focalboard Repository (Unmaintained)", "tags": ["product"]}], "source": {"discovery": "EXTERNAL"}, "title": "Focalboard IDOR in file content endpoint allows cross-user file access (unsupported product, no fix)", "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-04-03T13:25:53.399Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T14:53:54.422014Z", "id": "CVE-2026-28736", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T14:54:37.869Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28736", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T14:53:54.422014Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T14:54:21.095Z"}}], "cna": {"tags": ["unsupported-when-assigned"], "title": "Focalboard IDOR in file content endpoint allows cross-user file access (unsupported product, no fix)", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Siam Thanat Hack Company Limited"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mattermost", "product": "Focalboard", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/mattermost-community/focalboard", "name": "Focalboard Repository (Unmaintained)", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim's fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "shortName": "Mattermost", "dateUpdated": "2026-04-03T13:25:53.399Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28736", "state": "PUBLISHED", "dateUpdated": "2026-04-03T14:54:37.869Z", "dateReserved": "2026-04-03T13:10:59.177Z", "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee", "datePublished": "2026-04-03T13:25:53.399Z", "assignerShortName": "Mattermost"}, "dataVersion": "5.2"}

{"cveTags": [{"sourceIdentifier": "responsibledisclosure@mattermost.com", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim's fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued."}], "id": "CVE-2026-28736", "lastModified": "2026-04-03T16:10:23.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}, "published": "2026-04-03T14:16:29.517", "references": [{"source": "responsibledisclosure@mattermost.com", "url": "https://github.com/mattermost-community/focalboard"}], "sourceIdentifier": "responsibledisclosure@mattermost.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "responsibledisclosure@mattermost.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Focalboard", "source": "cna", "vendor": "Mattermost"}, "product": "focalboard", "vendor": "mattermost"}], "analysis": {"en": {"generated_at": "2026-04-03T16:35:33.206181+00:00", "value": {"mitigation_remediation": ["Remove or disable the unsupported Focalboard installation if it is not required for business operations.", "If removal is not feasible, restrict file upload and download permissions to a minimal set of trusted administrators.", "Apply network segmentation to isolate the Focalboard environment from sensitive internal resources.", "Monitor access logs for unexpected file download activity and investigate anomalies.", "Consider migrating to a maintained alternative if ongoing use of Focalboard is necessary."], "summary": {"action": "Replace or Mitigate", "impact": "Unauthorized Cross\u2011User File Disclosure via IDOR"}, "threat_synthesis": {"affected_systems": "Mattermost\u2019s standalone Focalboard product, specifically version\u00a08.0, is affected. The product is currently unsupported and no fix will be issued, meaning the flaw remains unpatched in any existing installations.", "description_and_impact": "The vulnerability resides in Focalboard version\u00a08.0, where the file content endpoint fails to verify that the requesting user owns the file. An authenticated user who knows another user\u2019s file ID can download that file, exposing confidential information. This represents an Insecure Direct Object Reference (IDOR) that allows the disclosure of data but does not grant code execution or system compromise.", "risk_and_exploitability": "With a CVSS score of\u00a04.3, the flaw carries moderate severity and poses a moderate risk to confidentiality. The Exploit Predictability Score (EPSS) is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploitation yet. An attacker requires authenticated access to the system and knowledge of file IDs, limiting exploitation to internal or compromised users rather than remote attackers."}}}}, "created": "2026-04-03T21:14:11.891808+00:00", "updated": "2026-04-03T21:16:27.457764+00:00", "vendors": ["mattermost", "mattermost$PRODUCT$focalboard"]}