Focalboard IDOR in file content endpoint allows cross-user file access (unsupported product, no fix)

Description

A vulnerability was found in Mattermost Focalboard up to 8.0. It has been classified as problematic. Affected is an unknown function. Performing a manipulation results in authorization bypass. This vulnerability only affects products that are no longer supported by the maintainer.

Affected Products

Vendor	Product	Versions
mattermost	focalboard	go/github.com/mattermost/focalboard: <= 7.10.6

References

https://github.com/mattermost-community/focalboard(product)

Related News (1 articles)

Tier C

VulDB3d ago

CVE-2026-28736 | Mattermost Focalboard up to 8.0 authorization

→ No new info (linked only)

CVSS 3.14.3 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-639

PublishedApr 3, 2026

Last enriched3d agov2

Trending Score25

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

Version History

Last enriched 3d ago

v2Tier C3d ago

Updated description with new details about the vulnerability and marked it as actively exploited.

descriptionactivelyExploited

via VulDB

v13d ago

Initial creation

Focalboard IDOR in file content endpoint allows cross-user file access (unsupported product, no fix)

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (5)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History