Home

Description

An authorization bypass vulnerability exists in the Mautic 7 API v2 endpoints (utilizing API Platform). Under certain conditions, roles configured with owner-scope restrictions (such as `viewown` or `editown`) are not properly enforced. This allows low-privilege authenticated API users to bypass ownership-logic controls and access or modify resources belonging to other users.

PUBLISHED Reserved 2026-05-28 | Published 2026-05-29 | Updated 2026-05-29 | Assigner Mautic




HIGH: 7.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Problem types

CWE-863 Incorrect Authorization

Product status

Default status
unaffected

7.0.0 (semver) before 7.1.2
affected

Credits

BiAyeNdGi (@zerlyer) finder

@pavelkohout396 finder

John Linhart (@escopecz) remediation developer

Patryk Gruszka (@patrykgruszka) remediation reviewer

Leuchtfeuer Digital Marketing (@Leuchtfeuer) sponsor

References

github.com/...mautic/security/advisories/GHSA-2jrw-c95w-h43g

cve.org (CVE-2026-9808)

nvd.nist.gov (CVE-2026-9808)

Download JSON