CVE-2026-9808

Vulnerability

An authorization bypass vulnerability exists in Mautic 7 API v2 endpoints that use API Platform. When roles are configured with owner-scope restrictions (e.g., viewown or editown), the permission checks are not consistently applied for certain API requests. This allows an authenticated low-privilege user to read or modify resources — such as reports, contacts, and other entities — that belong to other users. The issue affects Mautic 7.0.0 through 7.1.1; versions 6.x, 5.x, and 4.x are not affected [1].

Exploitation

An attacker must be an authenticated user of the Mautic API with a role that is limited to owner-scope permissions for the relevant resource types. The attacker can make API v2 requests for resources they do not own, and due to the missing ownership check, the endpoint returns or modifies the target resource owned by another user. No special network access or additional user interaction is required beyond the attacker's valid API credentials [1].

Impact

Successful exploitation allows the attacker to read or modify restricted resources belonging to other users, including potentially sensitive data in reports and contacts. This bypasses the intended tenant and privilege boundaries of the platform, leading to unauthorized information disclosure and unauthorized modification of data. The attacker does not gain full administrative privileges but can access and alter specific resources outside their permitted scope [1].

Mitigation

Mautic has addressed this issue in version 7.1.2, released on 2026-05-29. Users should upgrade to 7.1.2 or later. Mautic 6.x, 5.x, and 4.x are not vulnerable. No official workaround exists; as a temporary measure, administrators can revoke API credentials or narrow access permissions for users whose roles rely on owner-scope permission containment [1]. If upgrading is not immediate, consider disabling API v2 endpoints entirely by removing the API key from affected users until the upgrade can be applied.