CVE-2026-9808
Authorization Bypass in Mautic API v2 via Owner-Scope Misconfiguration
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: Mautic
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mautic | mautic | From 7.0.0 (inc) |
| mautic | mautic | to 7.1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-9808 is an authorization bypass vulnerability in Mautic 7's API v2 endpoints, which use API Platform.
The issue occurs when roles configured with owner-scope restrictions (such as viewown or editown) are not properly enforced.
This flaw allows low-privilege authenticated API users to bypass ownership-logic controls and access or modify resources belonging to other users.
- Affected resources include reports, contacts, and companies.
- The vulnerability breaches tenant and privilege boundaries.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive data belonging to other users.
Low-privilege authenticated API users can read confidential information such as reports, contacts, and companies that they should not have access to.
There is a high confidentiality loss risk, although the impact on data integrity is low since unauthorized users may not necessarily modify data.
This breach of tenant and privilege boundaries can compromise the security and privacy of your data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves authorization bypass in Mautic 7 API v2 endpoints where owner-scope restrictions are not properly enforced. Detection would involve monitoring API access patterns for unauthorized access to resources belonging to other users.
Since the issue allows low-privilege authenticated API users to access or modify resources they should not have access to, you can attempt to test API endpoints using credentials with owner-scope roles (such as viewown or editown) to see if they can access or modify resources owned by other users.
Specific commands are not provided in the available resources, but a general approach would be to use API testing tools (like curl or Postman) to perform authenticated API requests with owner-scope roles and verify if access controls are properly enforced.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include revoking API credentials for users relying on owner-scope controls or restricting their permissions to prevent unauthorized access.
Upgrading Mautic to version 7.1.2 or later is the definitive fix, as this version contains the patch for the vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows low-privilege authenticated API users to bypass ownership controls and access or modify resources belonging to other users, including sensitive data such as reports, contacts, and companies.
Such unauthorized access to confidential information can lead to breaches of data privacy and confidentiality requirements mandated by common standards and regulations like GDPR and HIPAA.
Therefore, if exploited, this vulnerability could result in non-compliance with these regulations due to unauthorized disclosure or access to personal and sensitive data.