CVE-2026-4776: Mautic API SQL Injection – Authenticated Data Exfiltration Risk
Mautic, a popular marketing automation platform, contains an SQL injection flaw in its API that allows authenticated users to execute unauthorized database queries. The vulnerability stems from incomplete filtering of nested query parameters in the contact filtering API—an attacker with valid API credentials can craft specially formed requests to bypass safety checks and inject SQL commands directly into database queries. This could lead to unauthorized data access or limited system disruption, though the attacker must already have valid API authentication.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-4776 is an SQL injection vulnerability (CWE-89) residing in Mautic's API contact filtering endpoint. The root cause is insufficient recursive sanitization of nested query parameters. Standard input validation routines fail to properly handle deeply nested or layered query structures, allowing an authenticated API consumer to bypass filtering controls and inject arbitrary SQL. The CVSS 3.1 score of 7.1 (HIGH) reflects high confidentiality impact, low integrity risk, and limited availability impact, constrained by the requirement for prior authentication (PR:L) and network-only attack surface (AV:N/AC:L).
Business impact
A compromised or malicious API user could extract sensitive contact data, campaign information, or other marketing records from the Mautic instance without authorization. While data modification is not the primary risk, query-based denial-of-service through resource-intensive injected SQL could degrade system performance or availability. For organizations using Mautic to manage customer contact databases, data exfiltration represents a material compliance and reputation risk. The authenticated nature of the attack limits blast radius but increases insider-threat and API key compromise scenarios.
Affected systems
This vulnerability affects Mautic instances with exposed API endpoints accessible to authenticated users. The precise affected version range is not detailed in vendor advisories reviewed; organizations should verify their Mautic deployment version against official vendor guidance. Instances where API keys or credentials are shared across teams, integrated with third-party tools, or stored in version control are at heightened risk of unauthorized access by bad actors.
Exploitability
Exploitation requires valid API credentials—the attacker cannot exploit this remotely without prior authentication. The attack complexity is low once credentials are obtained, and no user interaction is needed. An attacker with stolen or mismanaged API keys, or an insider with legitimate access, can weaponize this with minimal effort. The vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities catalog, but the straightforward nature of SQL injection post-authentication suggests practical exploit code could be developed quickly.
Remediation
Mautic has released security updates addressing this vulnerability through improved recursive sanitization of query parameters. Organizations must apply the vendor-provided patch to all Mautic instances with exposed APIs. Parallel to patching, implement strict API key lifecycle management: rotate credentials, restrict API scopes to minimum required permissions, enforce API rate limiting, and monitor API logs for anomalous query patterns. Consider network-level controls such as IP whitelisting for API access.
Patch guidance
Consult the official Mautic security advisory for the specific patched version. Apply patches in a phased approach: test in a staging environment first to verify compatibility with custom plugins or integrations, then deploy to production instances. Verify patch application by confirming the presence of updated input validation routines in the contact filtering endpoint. Implement a post-patch audit of recent API activity logs to detect whether the vulnerability was exploited prior to remediation.
Detection guidance
Monitor API access logs for suspicious contact filter queries, particularly those containing SQL keywords (UNION, SELECT, DROP, INSERT, etc.) within nested parameter structures. Implement Web Application Firewall (WAF) rules to detect SQL injection signatures in API requests targeting the contact filter endpoint. Use database query auditing to identify anomalous SELECT statements originating from the Mautic application service account. Correlate API key usage patterns with known user behavior to identify compromised credentials.
Why prioritize this
Although the vulnerability requires prior authentication, its combination of high confidentiality impact, ease of exploitation post-authentication, and potential for broad data exfiltration warrants timely remediation. Organizations managing customer data through Mautic should prioritize patching to prevent unauthorized access that could trigger breach disclosure obligations. The vulnerability is not yet widely exploited in the wild, offering a narrow window for proactive patching before adversaries operationalize it.
Risk score, explained
The CVSS 3.1 score of 7.1 reflects a HIGH severity assessment driven by high confidentiality impact (the primary concern), network accessibility, and low attack complexity post-authentication. The score is tempered by the mandatory authentication requirement (PR:L) and limited integrity and availability impact. For organizations with strict API security practices and strong credential management, practical risk may be lower; for those with credential sprawl or overly permissive API scopes, actual risk may exceed the base score.
Frequently asked questions
Does this vulnerability allow unauthenticated attacks?
No. Exploitation requires valid Mautic API credentials. However, API keys are often shared, stored insecurely, or accidentally exposed in code repositories—so the pool of potential attackers may be broader than internal staff.
What if we don't use Mautic's API—are we affected?
If your Mautic instance does not expose the API to any external or untrusted systems, the practical attack surface is reduced. However, we recommend patching regardless, as security best practice assumes credentials may be compromised.
Could this be exploited to modify or delete contacts?
The vulnerability enables arbitrary SQL execution, so technically yes, though the CVSS score reflects low integrity impact, suggesting detection and prevention controls were assumed in the base assessment. Patch immediately to eliminate the risk entirely.
How can we determine if we've been compromised?
Review API access logs (if available) for queries containing SQL injection signatures. Check the Mautic database audit log for unexpected SELECT, INSERT, or UPDATE statements. If you suspect unauthorized data access, engage your incident response team and consider forensic analysis of database transaction logs.
This analysis is provided for informational purposes. The specific affected Mautic versions, patch numbers, and remediation steps must be verified against the official Mautic security advisory before implementation. SEC.co makes no warranty regarding the completeness or accuracy of this assessment. Organizations should conduct their own risk assessment and engage Mautic support or a qualified security consultant if needed. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access