CVE-2026-15191
Received Received - Intake

Authorization Bypass in Mettle SendPortal via Campaign Creation

Vulnerability report for CVE-2026-15191, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: VulDB

Description

A flaw has been found in mettle sendportal up to 3.0.1. This vulnerability affects unknown code of the file vendor/mettle/sendportal-core/src/Http/Requests/CampaignStoreRequest.php of the component Campaign Creation Endpoint. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mettle sendportal to 3.0.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can lead to unauthorized use of email services from other workspaces, allowing an attacker to send campaigns on behalf of another tenant. This breaks the isolation between tenants, potentially exposing sensitive information or enabling malicious campaigns to be sent without proper authorization.

Executive Summary

This vulnerability is a cross-tenant authorization bypass in the SendPortal application, specifically affecting the Campaign Creation Endpoint. It allows a user in one workspace to create and send campaigns that reference email services belonging to another workspace. The root cause is insufficient validation during campaign creation and dispatch, where the application only checks if the email service ID exists but does not verify if it belongs to the user's workspace. This breaks tenant isolation and enables unauthorized access to resources across different workspaces.

Compliance Impact

This vulnerability allows cross-tenant authorization bypass, enabling users to access and use resources belonging to other workspaces without proper authorization.

Such unauthorized access and potential data leakage could lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require strict access controls and tenant isolation to protect personal and sensitive information.

Therefore, the flaw undermines compliance with these standards by breaking tenant isolation and allowing unauthorized cross-workspace resource usage.

Detection Guidance

This vulnerability involves a cross-tenant authorization bypass in the SendPortal application, specifically in the campaign creation and dispatch workflows where email service ownership is not properly validated.

To detect this vulnerability on your system, you should check if the application allows users to create or dispatch campaigns referencing email services that belong to other workspaces without proper ownership validation.

Since the issue is in the validation of email_service_id in CampaignStoreRequest.php and dispatch in ResolveEmailService.php, you can attempt to create or send campaigns using email_service_ids from other workspaces and observe if the system permits it.

There are no specific commands provided in the resources, but you can perform API or UI tests to verify if cross-workspace resource usage is possible.

Mitigation Strategies

The immediate mitigation involves enforcing strict validation to ensure that email services referenced during campaign creation and dispatch belong to the current user's workspace.

Specifically, add workspace scoping to the email service validation rules in the CampaignStoreRequest.php file and enforce ownership validation during the dispatch process in ResolveEmailService.php.

Until an official patch or update is released, restrict user permissions to limit campaign creation and dispatch capabilities or monitor for suspicious cross-workspace activity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15191. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart