Authorization Bypass Vulnerability in Mautic API by Mautic
CVE-2026-9808

7.1HIGH

Key Information:

Status
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-9808?

An authorization bypass vulnerability exists in Mautic's API v2 endpoints. Certain configurations with owner-scope restrictions, such as 'viewown' or 'editown', are not properly enforced. This lack of enforcement permits low-privilege authenticated API users to bypass ownership controls, granting them unauthorized access to modify or retrieve resources intended for other users.

References

https://github.com/mautic/mautic/security/advisories/GHSA...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 28, 2026

Credit

BiAyeNdGi (@zerlyer)

@pavelkohout396

John Linhart (@escopecz)

Patryk Gruszka (@patrykgruszka)

Leuchtfeuer Digital Marketing (@Leuchtfeuer)

CVE-2026-9808 Data

JSON