CVE-2026-9808 PUBLISHED

Assigner: Mautic
Reserved: 28.05.2026 Published: 29.05.2026 Updated: 29.05.2026

An authorization bypass vulnerability exists in the Mautic 7 API v2 endpoints (utilizing API Platform). Under certain conditions, roles configured with owner-scope restrictions (such as viewown or editown) are not properly enforced. This allows low-privilege authenticated API users to bypass ownership-logic controls and access or modify resources belonging to other users.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CVSS Score: 7.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Package Collection	https://packagist.org
Package Name	mautic/core
Versions	Default: unaffected affected from 7.0.0 to 7.1.2 (excl.)

Workarounds

There are no official workarounds. To mitigate this issue without upgrading, temporarily revoke API credentials or narrow access permissions for any users whose roles rely on owner-scope permission containment.

Credits

BiAyeNdGi (@zerlyer) finder
@pavelkohout396 finder
John Linhart (@escopecz) remediation developer
Patryk Gruszka (@patrykgruszka) remediation reviewer
Leuchtfeuer Digital Marketing (@Leuchtfeuer) sponsor

References

https://github.com/mautic/mautic/security/advisories/GHSA-2jrw-c95w-h43g

Problem Types

CWE-863 Incorrect Authorization CWE

Impacts

CAPEC-122 Privilege Abuse