HarborGuard / CVE
Back to search
HIGHCVE-2026-4776Published Modified CNA Mautic

CVE-2026-4776: An SQL injection vulnerability exists in Mautic's API contact filtering mechanism

An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A SQL injection flaw exists in Mautic's API contact filtering, where nested query parameters are not recursively sanitized before reaching the database layer. An authenticated API user with any low-privilege account can reach the endpoint over the network and inject arbitrary SQL, allowing them to read sensitive database contents and degrade service availability. Patched-image rebuilds at Mautic 4.4.20, 5.2.11, 6.0.9, and 7.1.2 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-4776 is ingested from upstream feeds within minutes of publication and matched against Mautic versions in customer registries and CI pipelines, including custom-built images that bundle Mautic as a component.

Available
Triage

Triage is available with the published CVSS 3.1 score of 7.1 (High), then re-weighted against each customer organization's compliance policy (for example, externally exposed marketing stacks typically escalate further) and routed to the appropriate inbox inside the customer org.

Available
Patch

Patched-image rebuilds at 4.4.20, 5.2.11, 6.0.9, and 7.1.2 are available on HarborGuard for environments running an affected Mautic version. Customers with auto-remediation enabled receive the rebuilt image, an automatic regression-test run, and a PR opened against affected workloads.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Mautic API over the network (AV:N), so any environment exposing the API to untrusted networks is in scope.

  • AuthenticationRequired

    A valid API account is required (PR:L), but any low-privilege authenticated user is sufficient; no admin role is needed.

  • Victim interactionNot required

    No user or admin needs to click or do anything (UI:N); the attacker drives the entire exploit by calling the API.

  • Attack complexityDetail

    AC:L indicates the injection is reliable and condition-free once the attacker has API credentials and can craft nested filter parameters.

Blast Radius

  • Reads arbitrary rows from the Mautic database, including contact records, stored credentials, and API tokens (C:H).
  • Degrades availability of the Mautic service through expensive or destructive injected queries (A:L).
  • Integrity of stored data is not directly impacted by this flaw (I:N), though disclosed credentials can enable follow-on tampering through legitimate channels.

How HarborGuard Handles This

Available on HarborGuard: rebuilt Mautic images at 4.4.20, 5.2.11, 6.0.9, and 7.1.2 are published as soon as the fix versions are ingested, and for customers who opt into auto-remediation the platform opens a PR against affected workloads with the rebuilt image and a regression-test run attached. Median time from CVE publication to merged patch PR for high-severity issues like this one is around 90 minutes in environments with auto-remediation enabled; environments without auto-remediation receive the same rebuilt image and advisory in their triage inbox for manual rollout, and compensating controls (restricting API network exposure and revoking unused API credentials) are surfaced alongside the finding.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.1
Severity
HIGH
Fixed in
4.4.20
Affected Products
1

Fix available

4.4.205.2.116.0.97.1.2
Affected packages
  • unknown
    < 4.4.20 (from 2.6.0) · < 5.2.11 (from 5.0.0) · < 6.0.9 (from 6.0.0) · < 7.1.2 (from 7.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
References