CVE-2026-28736 | THREATINT

Description

** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim's fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.

PUBLISHED Reserved 2026-04-03 | Published 2026-04-03 | Updated 2026-04-03 | Assigner Mattermost

MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-639: Authorization Bypass Through User-Controlled Key

Product status

Default status

unaffected

Any version

affected

Credits

Siam Thanat Hack Company Limited finder

References

github.com/mattermost-community/focalboard (Focalboard Repository (Unmaintained)) product

cve.org (CVE-2026-28736)

nvd.nist.gov (CVE-2026-28736)

Download JSON