Segment cloning doesn't have a proper permission check
Description
SummaryThis advisory addresses a security vulnerability in Mautic related to the segment cloning functionality. This vulnerability allows any authenticated user to clone segments without proper authorization checks.
Insecure Direct Object Reference (IDOR) / Missing Authorization: A missing authorization vulnerability exists in the cloneAction of the segment management. This allows an authenticated user to bypass intended permission restrictions and clone segments even if they lack the necessary permissions to create new ones.
MitigationUpdate Mautic to a version that implements proper authorization checks for the cloneAction within the ListController.php. Ensure that users attempting to clone segments possess the appropriate creation permissions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mautic has an IDOR vulnerability in segment cloning that lets any authenticated user clone segments without proper authorization.
Root
Cause An insecure direct object reference (IDOR) / missing authorization vulnerability exists in Mautic's segment management cloneAction. The endpoint fails to verify whether the authenticated user has the required permissions to create new segments, allowing unauthorized cloning [1][2][3].
Exploitation
An authenticated attacker can invoke the clone action on existing segments through the user interface or API without needing specific segment creation privileges. The vulnerability is triggered by sending a request to the clone endpoint, and no additional precondition beyond valid authentication is required [2][3].
Impact
By exploiting this lack of authorization, a user who would normally be denied the ability to create new segments can duplicate existing ones. This potentially enables the attacker to circumvent organizational permission controls, leading to unauthorized access to segment data or misuse of marketing resources [1][2].
Mitigation
The fix requires implementing proper authorization checks in the cloneAction method of ListController.php, ensuring that users possess appropriate creation permissions before cloning segments. Updating Mautic to the patched version is the only recommended mitigation; no workarounds are available [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mautic/corePackagist | >= 5.0.0-alpha, < 5.2.6 | 5.2.6 |
mautic/corePackagist | >= 6.0.0-alpha, < 6.0.2 | 6.0.2 |
Affected products
3- Mautic/Mauticv5Range: > 5.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.