CVE-2026-9808 - Vulnerability Details

- Authorization Bypass in Mautic 7 API v2 Endpoints

Description

An authorization bypass vulnerability exists in the Mautic 7 API v2 endpoints (utilizing API Platform). Under certain conditions, roles configured with owner-scope restrictions (such as `viewown` or `editown`) are not properly enforced. This allows low-privilege authenticated API users to bypass ownership-logic controls and access or modify resources belonging to other users.

Published: 2026-05-29

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An authorization bypass flaw exists in the Mautic 7 API v2 endpoints that use API Platform. Roles with owner‑scope restrictions (for example, viewown or editown) are not enforced correctly, allowing an authenticated user with low privileges to access or modify resources owned by other users. This vulnerability is a typical privilege escalation through improper permission checks (CWE‑863) and can compromise the confidentiality, integrity, or availability of user data in the system.

Affected Systems

The vulnerability affects installations of Mautic version 7 that expose the API v2 endpoints. Any deployment that has API Platform enabled and assigns owner‑scope roles is potentially impacted. No other product versions or vendors are listed.

Risk and Exploitability

The CVSS score of 7.1 classifies the issue as high severity, although its EPSS score is not available and it is not listed in the CISA KEV catalog. Attackers need to be authenticated to the API, so the attack vector is remote and relies on compromised or legitimate API credentials. Once authenticated, a user can bypass ownership logic and read or alter data belonging to other users. Because proper authorization checks are missing, exploitation is straightforward without code execution or buffer overflow.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

unaffected

Version	Status	Constraints
`7.0.0`	affected	< 7.1.2

No data.

Vendor Product Confidence Versions

Mautic

80%

Version	Status	Scheme	Platform
`—`	affected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Workaround

There are no official workarounds. To mitigate this issue without upgrading, temporarily revoke API credentials or narrow access permissions for any users whose roles rely on owner-scope permission containment.

OpenCVE Recommended Actions

Revoke or rotate API credentials for all users with owner‑scope permissions until the vulnerability is resolved.
Reduce permissions by removing viewown or editown scopes from roles that should not access other users’ resources.
Apply a later patch or upgrade to a fixed Mautic release when it becomes available.
Enable detailed logging for API requests and monitor for unusual access patterns that indicate privilege escalation attempts.

Generated by OpenCVE AI on May 29, 2026 at 12:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/mautic/mautic/security/advisories/GHSA-2jrw-c95w-h43g

History

Fri, 29 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 29 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mautic Mautic mautic
Vendors & Products		Mautic Mautic mautic

Fri, 29 May 2026 12:45:00 +0000

Type	Values Removed	Values Added
Title		Authorization Bypass in Mautic 7 API v2 Endpoints

Fri, 29 May 2026 11:45:00 +0000

Type	Values Removed	Values Added
Description		An authorization bypass vulnerability exists in the Mautic 7 API v2 endpoints (utilizing API Platform). Under certain conditions, roles configured with owner-scope restrictions (such as `viewown` or `editown`) are not properly enforced. This allows low-privilege authenticated API users to bypass ownership-logic controls and access or modify resources belonging to other users.
Weaknesses		CWE-863
References		https://github.com/mautic/mautic/security/advisories/GHSA-2jrw-c95w-h43g
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}`

Subscriptions

Mautic Mautic

MITRE

Status: PUBLISHED

Assigner: Mautic

Published: 2026-05-29T10:30:23.561Z

Updated: 2026-05-29T14:42:37.155Z

Reserved: 2026-05-28T07:56:12.387Z

Link: CVE-2026-9808

Vulnrichment

Updated: 2026-05-29T14:42:33.933Z

NVD

Status : Deferred

Published: 2026-05-29T12:16:26.800

Modified: 2026-05-29T15:39:34.620

Link: CVE-2026-9808

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T14:00:19Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object