{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/mautic-core--7.0.0--7.1.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-9808"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Mautic Core (\u003e= 7.0.0, \u003c 7.1.2)"],"_cs_severities":["high"],"_cs_tags":["mautic","authorization-bypass","api","web-application"],"_cs_type":"advisory","_cs_vendors":["Mautic"],"content_html":"\u003cp\u003eAn authorization bypass vulnerability, identified as CVE-2026-9808, has been discovered in Mautic Core versions 7.0.0 through 7.1.1. This flaw affects the API v2 endpoints, which utilize API Platform, and prevents the proper enforcement of owner-scope restrictions such as \u003ccode\u003eviewown\u003c/code\u003e or \u003ccode\u003eeditown\u003c/code\u003e. Attackers, who are low-privilege authenticated API users, can leverage this vulnerability to gain unauthorized access to or modify resources belonging to other users. This bypasses the intended ownership-logic controls and structural tenant and privilege boundaries within the Mautic platform, potentially leading to data exposure or manipulation. This issue was publicly disclosed on July 2, 2026, and poses a significant risk to organizations managing sensitive marketing data through affected Mautic instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains valid, low-privilege API credentials for a Mautic 7 instance (e.g., through credential compromise or an insider threat).\u003c/li\u003e\n\u003cli\u003eAttacker authenticates to the Mautic API v2 endpoint using these credentials.\u003c/li\u003e\n\u003cli\u003eAttacker crafts an API request targeting a resource (e.g., a specific contact, company, or report ID) that belongs to a different user or tenant.\u003c/li\u003e\n\u003cli\u003eThe crafted API request is sent to an affected Mautic API v2 endpoint, leveraging the vulnerability where owner-scope restrictions are not properly enforced.\u003c/li\u003e\n\u003cli\u003eMautic's API Platform processing component fails to apply the \u003ccode\u003eviewown\u003c/code\u003e or \u003ccode\u003eeditown\u003c/code\u003e authorization checks for the requested resource.\u003c/li\u003e\n\u003cli\u003eThe Mautic application grants the attacker unauthorized read or write access to the targeted resource.\u003c/li\u003e\n\u003cli\u003eAttacker successfully retrieves sensitive data or manipulates records they should not have access to, bypassing the intended security controls.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAuthenticated API users with limited roles can exploit CVE-2026-9808 to read or modify restricted resources, such as reports, contacts, and companies, that they do not own and should not have access to. This directly bypasses structural tenant and privilege boundaries on the platform, leading to unauthorized data exposure, data tampering, and potential reputational damage for affected organizations. While the number of victims is not specified, any organization utilizing Mautic Core versions 7.0.0 through 7.1.1 is vulnerable to this critical authorization flaw, particularly those with multi-tenant deployments or strict internal access controls.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-9808 immediately by upgrading Mautic Core to version 7.1.2 or later.\u003c/li\u003e\n\u003cli\u003eTemporarily revoke API credentials or narrow access permissions for any users whose roles rely on owner-scope permission containment, if immediate patching of CVE-2026-9808 is not feasible.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:33:37Z","date_published":"2026-07-03T11:33:37Z","id":"https://feed.craftedsignal.io/briefs/2026-07-mautic-api-authorization-bypass/","summary":"An authorization bypass vulnerability (CVE-2026-9808) exists in Mautic 7 API v2 endpoints, where owner-scope restrictions are not properly enforced, allowing low-privilege authenticated API users to access or modify resources belonging to other users, bypassing ownership controls and impacting data confidentiality and integrity.","title":"Mautic 7 API v2 Authorization Bypass (CVE-2026-9808)","url":"https://feed.craftedsignal.io/briefs/2026-07-mautic-api-authorization-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Mautic Core (\u003e= 7.0.0, \u003c 7.1.2)","version":"https://jsonfeed.org/version/1.1"}