Description
An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands.
Published: 2026-05-29
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Insufficient recursive sanitization of nested query parameters allows an authenticated API user to bypass input filtering and inject arbitrary SQL commands. This can enable the attacker to read, modify or delete data stored in the database, thereby compromising confidentiality and integrity of the system's information.

Affected Systems

The vulnerability affects the Mautic marketing automation platform’s API contact filtering functionality. All installations that expose this API and rely on the existing filtering logic are impacted. No specific version information is provided, so the risk applies to any deployment that includes the affected code paths.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium‑to‑high impact. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation yet. The likely attack vector requires an authenticated API user, so an attacker would need valid credentials or an application that has legitimate access to the API to exploit this flaw. Once authenticated, the attacker can execute arbitrary SQL statements, leading to significant data compromise.

Generated by OpenCVE AI on May 29, 2026 at 08:50 UTC.

Remediation

Vendor Workaround

There are no official workarounds. To mitigate this issue without upgrading, you may temporarily disable API access or restrict API permissions to highly trusted accounts.

OpenCVE Recommended Actions

  • Temporarily disable the Mautic API or restrict API permissions to highly trusted accounts as a temporary measure.
  • Check the Mautic project for an updated release that addresses this vulnerability and upgrade the application as soon as a patch is available.
  • Monitor API usage logs for unusual query patterns or repeated errors that may indicate an attempt to exploit the SQL injection flaw.

Generated by OpenCVE AI on May 29, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 09:15:00 +0000

Type Values Removed Values Added
Title SQL Injection via API Contact Filtering in Mautic

Fri, 29 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Mautic
Mautic mautic
Vendors & Products Mautic
Mautic mautic

Fri, 29 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands.
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L'}

Subscriptions

Mautic Mautic
cve-icon MITRE

Status: PUBLISHED

Assigner: Mautic

Published:

Updated: 2026-05-29T11:41:44.104Z

Reserved: 2026-03-24T15:00:12.560Z

Link: CVE-2026-4776

cve-icon Vulnrichment

Updated: 2026-05-29T11:41:38.393Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T08:16:19.260

Modified: 2026-05-29T15:39:34.620

Link: CVE-2026-4776

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T09:00:13Z

Weaknesses