HarborGuard / CVE
Back to search
HIGHCVE-2026-9808Published Modified CNA Mautic

CVE-2026-9808: An authorization bypass vulnerability exists in the Mautic 7 API v2 endpoints (utilizing API Platform)

An authorization bypass vulnerability exists in the Mautic 7 API v2 endpoints (utilizing API Platform). Under certain conditions, roles configured with owner-scope restrictions (such as `viewown` or `editown`) are not properly enforced. This allows low-privilege authenticated API users to bypass ownership-logic controls and access or modify resources belonging to other users.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An authorization bypass in Mautic 7's API v2 endpoints (built on API Platform) fails to enforce owner-scope role restrictions like `viewown` and `editown`. The flaw is reachable over the network by any low-privilege authenticated API user, with no victim interaction required, and lets them read or modify records belonging to other users. A patched-image rebuild at Mautic 7.1.2 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against Mautic images in customer registries and CI pipelines, including custom-built images derived from Mautic 7.x.

Available
Triage

Triage capability scores this at CVSS 7.1 (High) and weights it against each customer's compliance policy, then routes the finding to the configured security inbox inside the affected org. Environments that classify ownership-scope bypass as a high-impact tenancy issue can escalate routing accordingly.

Available
Patch

A patched-image rebuild at Mautic 7.1.2 is made available on HarborGuard once the fix version is ingested. For customers who opt into auto-remediation, the rebuild is regression-tested and a PR is opened against workloads pinned to affected 7.0.0-7.1.1 versions.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Mautic API v2 endpoints over the network.

  • AuthenticationRequired

    Any low-privilege authenticated API account with owner-scoped roles is sufficient to trigger the bypass.

  • Victim interactionNot required

    No user action is needed; the attacker calls the API directly.

  • Attack complexityDetail

    AC:L indicates the exploit is reliable and does not depend on race conditions or environmental factors.

Blast Radius

  • Reads resources owned by other Mautic users, including contacts, segments, and campaign data that the role was meant to be scoped away from.
  • Modifies a subset of other users' resources through `editown`-style endpoints that fail to check ownership.
  • Does not directly crash or take down the Mautic service (A:N), so availability of the application is preserved.

How HarborGuard Handles This

Available on HarborGuard: a rebuilt Mautic image at 7.1.2 is published once the fix version is ingested, and for environments with auto-remediation enabled the rebuild is regression-tested and a PR is opened against workloads pinned to 7.0.0 through 7.1.1. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in auto-remediation environments. Where compliance policy gates automatic upgrades, the finding is routed to the configured inbox with the 7.1.2 rebuild attached for manual promotion, and compensating controls such as restricting API access to trusted networks or temporarily disabling owner-scoped roles can be applied while the upgrade is staged.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.1
Severity
HIGH
Fixed in
7.1.2
Affected Products
1

Fix available

7.1.2
Affected packages
  • unknown
    < 7.1.2 (from 7.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
References