CVE-2026-9559: A path traversal vulnerability exists in the campaign import feature of Mautic 7
A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic allows file paths to escape the intended temporary directories. An authenticated user with campaign import privileges (campaign:imports:create) can write arbitrary PHP files to sensitive system directories. An attacker can exploit this to overwrite critical internal configuration or cache components, resulting in Remote Code Execution (RCE) under the context of the web server user.
HarborGuard Analysis
HarborGuard analysisSynopsis
A path traversal flaw in Mautic 7's campaign import feature lets an authenticated user with campaign:imports:create privileges write arbitrary PHP files outside the intended temporary directories when a ZIP archive is extracted. The bug is reachable over the network and requires only a low-privilege account, and successful exploitation overwrites configuration or cache files to gain remote code execution as the web server user. A patched-image rebuild at Mautic 7.1.2 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI pipelines, including custom-built images that bundle Mautic 7.
AvailableTriage is available with the published CVSS v3.1 score of 9.9 (critical) weighted against each environment's compliance policy, and findings route to the inbox configured for the owning team inside each customer org.
AvailableA patched-image rebuild at Mautic 7.1.2 is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, the rebuild runs through regression tests and a PR is opened against the affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The Mautic web interface must be reachable over the network for the attacker to submit the malicious campaign import.
- AuthenticationRequired
The attacker needs a valid Mautic account that holds the campaign:imports:create privilege; any low-privilege user with that role is sufficient.
- Victim interactionNot required
No victim action is needed; the attacker drives the import flow directly.
- Attack complexityDetail
Attack complexity is low: the ZIP extraction path-validation flaw is reliably triggered without race conditions or environmental tuning.
Blast Radius
- Writes attacker-controlled PHP files into sensitive directories outside the temporary upload location.
- Overwrites configuration or cache components to achieve remote code execution as the web server user.
- Reads and exfiltrates application secrets, database credentials, and stored customer marketing data.
- Modifies or destroys Mautic data and can pivot to other services reachable from the web server.
How HarborGuard Handles This
Available on HarborGuard: a patched-image rebuild at Mautic 7.1.2 is published for any environment scanning an affected version, and for customers with auto-remediation enabled the rebuild is regression-tested and a PR is opened against affected workloads automatically. Median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation on. Where compliance policy blocks automatic rebuilds, the finding is routed to the owning team's inbox with the fix version pinned so an operator can promote the rebuild manually; restricting the campaign:imports:create permission to trusted accounts is a useful interim control.
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- 7.1.2
- Affected Products
- 1
Fix available
- unknown< 7.1.2 (from 7.0.0)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H