CVE-2026-28736: Focalboard doesn't validate file ownership when serving uploaded files

April 3, 2026 (updated April 6, 2026)

** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim’s fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.

References

github.com/advisories/GHSA-vph7-r229-qxpf
github.com/mattermost-community/focalboard
nvd.nist.gov/vuln/detail/CVE-2026-28736

Code Behaviors & Features

Detect and mitigate CVE-2026-28736 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →