Description
SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API.

MitigationPlease update to 4.4.19, 5.2.10, 6.0.8, 7.0.1 or later.

WorkaroundsNone.

ReferencesIf you have any questions or comments about this advisory:

Email us at security@mautic.org
Published: 2026-02-24
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a SQL injection flaw in Mautic’s Contact Activity API sorting mechanism, where the sort direction parameter is not restricted to a defined allowlist. This allows authenticated users to inject arbitrary SQL commands, enabling unauthorized database read or write operations and potentially exposing or corrupting data. The weakness is identified as CWE‑89, reflecting improper input validation that permits malicious query construction.

Affected Systems

Mautic Mautic. All releases prior to 4.4.19, 5.2.10, 6.0.8, or 7.0.1 are affected because they lack the necessary input validation for the sort direction parameter. Any Mautic deployment running an older version remains vulnerable.

Risk and Exploitability

With a CVSS score of 7.6 the vulnerability is considered high severity, while an EPSS score of less than 1 % indicates a low probability of exploitation at the time of analysis. The vulnerability is not listed in CISA’s KEV catalog. Attackers must have valid API credentials to reach the vulnerable endpoint, but once authenticated the flaw can be leveraged remotely over the network to execute arbitrary SQL against the underlying database, posing a significant confidentiality and integrity risk.

Generated by OpenCVE AI on April 17, 2026 at 15:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Mautic version 4.4.19, 5.2.10, 6.0.8, or 7.0.1 or later to apply the vendor’s SQL injection fix.
  • Configure access controls so that only trusted roles or IP ranges can invoke the Contact Activity API, limiting the attack surface for authenticated users.
  • Ensure that the sort direction parameter is validated against a strict allowlist of values (e.g., "ASC" or "DESC"), rejecting any unexpected input before query construction.

Generated by OpenCVE AI on April 17, 2026 at 15:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r5j5-q42h-fc93 Mautic is Vulnerable to SQL Injection through Contact Activity API Sorting
History

Sat, 28 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Acquia
Acquia mautic
CPEs cpe:2.3:a:acquia:mautic:*:*:*:*:*:*:*:*
Vendors & Products Acquia
Acquia mautic

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mautic
Mautic mautic
Vendors & Products Mautic
Mautic mautic

Tue, 24 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API. MitigationPlease update to 4.4.19, 5.2.10, 6.0.8, 7.0.1 or later. WorkaroundsNone. ReferencesIf you have any questions or comments about this advisory: Email us at security@mautic.org
Title SQL Injection in Contact Activity API Sorting
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

Subscriptions

Acquia Mautic
Mautic Mautic
cve-icon MITRE

Status: PUBLISHED

Assigner: Mautic

Published:

Updated: 2026-02-26T20:07:06.187Z

Reserved: 2026-02-24T10:36:40.356Z

Link: CVE-2026-3105

cve-icon Vulnrichment

Updated: 2026-02-26T20:06:54.809Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T20:27:50.713

Modified: 2026-02-27T03:11:21.447

Link: CVE-2026-3105

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:45:15Z

Weaknesses