CVE-2026-28736
Focalboard IDOR in file content endpoint allows cross-user file access (unsupported product, no fix)
** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim's fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Productos afectados
Mattermost · Focalboard¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →