CVE-2018-10189
Description
An issue was discovered in Mautic 1.x and 2.x before 2.13.0. It is possible to systematically emulate tracking cookies per contact due to tracking the contact by their auto-incremented ID. Thus, a third party can manipulate the cookie value with +1 to systematically assume being tracked as each contact in Mautic. It is then possible to retrieve information about the contact through forms that have progressive profiling enabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Mautic before 2.13.0, tracking cookies are tied to auto-incremented contact IDs, allowing a third party to iterate IDs and emulate tracking of any contact, then glean data via progressive profiling forms.
Vulnerability
Mautic versions 1.x and 2.x prior to 2.13.0 [1][2] implement contact tracking using a cookie whose value is derived from the auto-incremented database ID of the contact. No additional randomness or uniqueness per device is introduced. This design allows an attacker to systematically enumerate contact IDs by incrementing the cookie value by +1. The tracked contact information is then accessible through any form that has progressive profiling enabled, which collects and reveals data about the contact as they interact with the form.
Exploitation
An attacker needs only the ability to set or manipulate cookies in their browser or automated script. No authentication, special network position, or user interaction beyond visiting a Mautic-hosted page is required. By initializing a tracking cookie with a value of 1 and then sending requests with sequentially incremented cookie values (2, 3, etc.), the attacker can assume the identity of each contact in the system. For each assumed identity, any form that uses progressive profiling may return stored information about that contact, such as email address, name, or custom fields, depending on how the form is configured.
Impact
Successful exploitation allows an attacker to retrieve personal information about all contacts tracked by the Mautic instance. This can lead to mass data exposure, violating confidentiality of contact records. The impact is limited to information accessible through progressive profiling forms; the attacker does not gain direct administrative access or full database read. However, if forms collect sensitive fields (e.g., email, phone, address), a significant data breach can occur.
Mitigation
The vulnerability is fixed in Mautic version 2.13.0 [2][3]. In this release, contacts are tracked by a unique device ID instead of the auto-incremented ID, though legacy cookies remain supported for backward compatibility. Administrators should upgrade to 2.13.0 or later immediately. As a workaround for existing installations, if the "Identify visitor by tracking url" feature is not in use, it should be disabled in the Tracking Settings [2]. No other workaround is available [3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mautic/corePackagist | < 2.13.0 | 2.13.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-vfxj-qg93-7wwcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-10189ghsaADVISORY
- github.com/mautic/mautic/releases/tag/2.13.0ghsax_refsource_CONFIRMWEB
- github.com/mautic/mautic/security/advisories/GHSA-vfxj-qg93-7wwcghsaWEB
News mentions
0No linked articles in our index yet.