SQL Injection in Contact Activity API Sorting
Description
SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API.
MitigationPlease update to 4.4.19, 5.2.10, 6.0.8, 7.0.1 or later.
WorkaroundsNone.
ReferencesIf you have any questions or comments about this advisory:
Email us at security@mautic.org
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated SQL injection in Mautic's Contact Activity API due to unsanitized sort direction parameter, patched in versions 4.4.19, 5.2.10, 6.0.8, and 7.0.1.
Overview
CVE-2026-3105 is a SQL injection vulnerability affecting the API endpoint for retrieving contact activities in Mautic, an open-source marketing automation platform. The root cause lies in the query construction for the Contact Activity timeline, where the parameter controlling sort direction is not validated against an allowlist, allowing injection of arbitrary SQL [1][4].
Exploitation
Exploitation requires an authenticated user with API access to the contact activity endpoint. By manipulating the sort direction parameter, an attacker can inject custom SQL commands into the backend query. No authentication bypass or additional privileges beyond standard API access are needed to trigger the vulnerability [2][4]. The issue is present across multiple Mautic versions prior to the fixes.
Impact
A successful SQL injection attack could allow the attacker to read, modify, or delete arbitrary data from the Mautic database. This may lead to disclosure of sensitive contact information, campaign details, or further compromise of the application and underlying infrastructure [1][4]. The exact impact depends on database permissions, but given Mautic's role in marketing automation, data integrity and confidentiality are at significant risk.
Mitigation
The vulnerability is fixed in Mautic versions 4.4.19, 5.2.10, 6.0.8, and 7.0.1, as released on 2026-02-24 [1][3][4]. Users are strongly advised to update immediately, as no workarounds are available [2][4]. The official advisory (GHSA-r5j5-q42h-fc93) provides further details and links to the patched releases.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mautic/corePackagist | >= 2.10.0, < 5.2.10 | 5.2.10 |
mautic/corePackagist | >= 6.0.0-alpha, < 6.0.8 | 6.0.8 |
mautic/corePackagist | >= 7.0.0-alpha, < 7.0.1 | 7.0.1 |
Affected products
2- Mautic/Mauticv5Range: >= 2.10.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-r5j5-q42h-fc93ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-3105ghsaADVISORY
- github.com/mautic/mautic/releases/tag/5.2.10ghsaWEB
- github.com/mautic/mautic/releases/tag/6.0.8ghsaWEB
- github.com/mautic/mautic/releases/tag/7.0.1ghsaWEB
- github.com/mautic/mautic/security/advisories/GHSA-r5j5-q42h-fc93ghsaWEB
News mentions
0No linked articles in our index yet.