Medium severity4.3NVD Advisory· Published Apr 3, 2026· Updated Apr 28, 2026
CVE-2026-28736
CVE-2026-28736
Description
UNSUPPORTED WHEN ASSIGNED Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim's fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/focalboardGo | <= 7.10.6 | — |
Affected products
1- cpe:2.3:a:mattermost:focalboard:8.0.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/advisories/GHSA-vph7-r229-qxpfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28736ghsaADVISORY
News mentions
0No linked articles in our index yet.