High severityNVD Advisory· Published Sep 18, 2024· Updated Sep 19, 2024

Improper Access Control in UI upgrade process

CVE-2022-25768

Description

The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to perform the tasks. Prior to this patch being applied it might be possible for an attacker to access the Mautic version number or to execute parts of the upgrade process without permission. As upgrading in the user interface is deprecated, this functionality is no longer required.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated attackers could read the Mautic version number or execute parts of the UI-based upgrade process due to missing access controls in the update logic.

Vulnerability

Overview

CVE-2022-25768 describes a missing access control vulnerability in Mautic's user interface update process. The logic that facilitated upgrades via the UI did not verify whether the requesting user had permission to perform the tasks. According to the official description, prior to the patch an attacker could access the Mautic version number or execute parts of the upgrade process without authorization [2]. The affected code path relied on a cookie named mautic_update to trigger upgrade steps such as clearing the cache or running schema migrations [3][4].

Attack

Vector and Prerequisites

The vulnerability could be exploited by crafting a request with the mautic_update cookie set to an appropriate step value (e.g., clearCache or schemaMigration). The logic was placed in the login action of the UserBundle controller, meaning it was reachable without requiring authentication. An attacker with network access to the Mautic instance could trigger these actions simply by sending a specially crafted HTTP request that includes the cookie [3][4]. No special privileges or prior authentication were needed.

Impact

A successful exploit allowed an unauthenticated attacker to potentially read the Mautic version number (information disclosure) or to execute parts of the upgrade process. Executing upgrade tasks could lead to unauthorized changes in the application’s state, such as running database migrations or finalizing an upgrade, which might disrupt normal operation or lead to further compromise. The developer notes that UI-based upgrading is now deprecated and the functionality was removed [2].

Remediation

Mautic has released patches that remove the insecure cookie-handling code from the login controller. The fixes are included in commit 89f964d for the 4.x branch and commit 925aeee for the 5.x branch [3][4]. Users should update to a patched version to remediate this vulnerability. As upgrading via the UI is no longer supported, the removed functionality does not affect normal operations.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
mautic/core-libPackagist	>= 1.1.3, < 4.4.13	4.4.13
mautic/core-libPackagist	>= 5.0.0-alpha, < 5.1.1	5.1.1
mautic/corePackagist	>= 1.1.3, < 4.4.13	4.4.13
mautic/corePackagist	>= 5.0.0-alpha, < 5.1.1	5.1.1

Affected products

ghsa-coords2 versions
pkg:composer/mautic/core pkg:composer/mautic/core-lib
>= 1.1.3, < 4.4.13+ 1 more
- (no CPE)range: >= 1.1.3, < 4.4.13
- (no CPE)range: >= 1.1.3, < 4.4.13
Mautic/Mauticv5
Range: >= 1.1.3

Patches

925aeee7d3db

Merge remote-tracking branch 'security/advisory-fix-MST-33-5.1' into 5.1

https://github.com/mautic/mauticJohn LinhartSep 18, 2024via ghsa

commit

1 file changed · +0 −27

app/bundles/UserBundle/Controller/SecurityController.php+0 −27 modified

@@ -46,33 +46,6 @@ public function onRequest(RequestEvent $event): void
      */
     public function loginAction(Request $request, AuthenticationUtils $authenticationUtils, IntegrationHelper $integrationHelper, TranslatorInterface $translator): \Symfony\Component\HttpFoundation\Response
     {
-        // A way to keep the upgrade from failing if the session is lost after
-        // the cache is cleared by upgrade.php
-        if ($request->cookies->has('mautic_update')) {
-            $step = $request->cookies->get('mautic_update');
-            if ('clearCache' === $step) {
-                // Run migrations
-                $request->query->set('finalize', 1);
-
-                return $this->forward('Mautic\CoreBundle\Controller\AjaxController::updateDatabaseMigrationAction',
-                    [
-                        'request' => $request,
-                    ]
-                );
-            } elseif ('schemaMigration' === $step) {
-                // Done so finalize
-                return $this->forward('Mautic\CoreBundle\Controller\AjaxController::updateFinalizationAction',
-                    [
-                        'request' => $request,
-                    ]
-                );
-            }
-
-            /** @var \Mautic\CoreBundle\Helper\CookieHelper $cookieHelper */
-            $cookieHelper = $this->factory->getHelper('cookie');
-            $cookieHelper->deleteCookie('mautic_update');
-        }
-
         $error = $authenticationUtils->getLastAuthenticationError();
 
         if (null !== $error) {

89f964d06f00

Merge remote-tracking branch 'security/advisory-fix-MST-33-4.x' into 4.4

https://github.com/mautic/mauticJohn LinhartSep 18, 2024via ghsa

commit

1 file changed · +0 −27

app/bundles/UserBundle/Controller/SecurityController.php+0 −27 modified

@@ -39,33 +39,6 @@ public function initialize(FilterControllerEvent $event)
      */
     public function loginAction()
     {
-        // A way to keep the upgrade from failing if the session is lost after
-        // the cache is cleared by upgrade.php
-        if ($this->request->cookies->has('mautic_update')) {
-            $step = $this->request->cookies->get('mautic_update');
-            if ('clearCache' == $step) {
-                // Run migrations
-                $this->request->query->set('finalize', 1);
-
-                return $this->forward('MauticCoreBundle:Ajax:updateDatabaseMigration',
-                    [
-                        'request' => $this->request,
-                    ]
-                );
-            } elseif ('schemaMigration' == $step) {
-                // Done so finalize
-                return $this->forward('MauticCoreBundle:Ajax:updateFinalization',
-                    [
-                        'request' => $this->request,
-                    ]
-                );
-            }
-
-            /** @var \Mautic\CoreBundle\Helper\CookieHelper $cookieHelper */
-            $cookieHelper = $this->factory->getHelper('cookie');
-            $cookieHelper->deleteCookie('mautic_update');
-        }
-
         $session = $this->request->getSession();
 
         // get the login error if there is one

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000