CVE-2026-4776
Deferred Deferred - Pending Action
SQL Injection in Mautic API via Unsanitized Contact Filtering

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: Mautic

Description
An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-4776
EUVD
EUVD-2026-33256
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
mautic mautic From 2.6.0 (inc)
mautic mautic 4.4.20
mautic mautic 5.2.11
mautic mautic 6.0.9
mautic mautic 7.1.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4776 is a high-severity SQL injection vulnerability found in Mautic's API contact filtering mechanism.

The vulnerability occurs because nested query parameters are not sufficiently sanitized, allowing an authenticated API user to bypass input filtering.

This bypass enables the injection of arbitrary SQL commands into the database queries.

Impact Analysis

Exploiting this vulnerability can lead to unauthorized execution of SQL queries against the database.

This may result in exposure of sensitive data such as user credentials, system configurations, and personally identifiable information (PII) of contacts.

The vulnerability has a CVSS score of 7.1, indicating a high severity impact primarily on confidentiality.

Mitigation Strategies

To mitigate the CVE-2026-4776 vulnerability, you should upgrade Mautic to one of the patched versions: 7.1.2, 6.0.9, 5.2.11, or 4.4.20.

If upgrading immediately is not possible, temporary mitigations include disabling API access or restricting API permissions to trusted accounts only.

Compliance Impact

The SQL injection vulnerability in Mautic's API contact filtering mechanism can lead to unauthorized execution of SQL queries, potentially exposing sensitive data such as personally identifiable information (PII) of contacts. Exposure of PII can result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive personal data against unauthorized access.

Therefore, if exploited, this vulnerability could compromise confidentiality and lead to violations of common standards and regulations that mandate protection of sensitive information.

Detection Guidance

This vulnerability involves SQL injection through Mautic's API contact filtering mechanism by exploiting insufficient sanitization of nested query parameters. Detection typically involves monitoring API requests for unusual or malformed query parameters that could indicate SQL injection attempts.

Since the vulnerability requires authenticated API access, reviewing API logs for suspicious queries or unexpected database errors can help identify exploitation attempts.

Temporary mitigations include disabling API access or restricting API permissions to trusted accounts, which can also reduce the attack surface while detection methods are implemented.

Specific commands to detect this vulnerability are not provided in the available resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4776. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart