GHSA-FCMW-WX57-9P75
Vulnerability from github – Published: 2026-07-02 19:25 – Updated: 2026-07-02 19:25Summary
An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands.
Impact
An authenticated user with API access can exploit this vulnerability to execute arbitrary SQL queries against the underlying database. This allows unauthorized retrieval of sensitive database contents—including user credentials, system configurations, and personal identifiable information (PII) of contacts—bypassing standard data access permissions.
Patched Versions
This security issue has been fixed in the following releases: * 7.1.2 * 6.0.9 * 5.2.11 * 4.4.20 ELTS
We strongly recommend upgrading to the latest version corresponding to your release branch.
Workarounds
There are no official workarounds. To mitigate this issue without upgrading, you may temporarily disable API access or restrict API permissions to highly trusted accounts.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "mautic/core"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"last_affected": "4.4.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "mautic/core"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.2.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "mautic/core"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "mautic/core"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-4776"
],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T19:25:18Z",
"nvd_published_at": "2026-05-29T08:16:19Z",
"severity": "HIGH"
},
"details": "### Summary\nAn SQL injection vulnerability exists in Mautic\u0027s API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands.\n\n### Impact\nAn authenticated user with API access can exploit this vulnerability to execute arbitrary SQL queries against the underlying database. This allows unauthorized retrieval of sensitive database contents\u2014including user credentials, system configurations, and personal identifiable information (PII) of contacts\u2014bypassing standard data access permissions.\n\n### Patched Versions\nThis security issue has been fixed in the following releases:\n* **7.1.2**\n* **6.0.9**\n* **5.2.11**\n* **4.4.20** [ELTS](https://mautic.org/extended-long-term-support-elts/)\n\nWe strongly recommend upgrading to the latest version corresponding to your release branch.\n\n### Workarounds\nThere are no official workarounds. To mitigate this issue without upgrading, you may temporarily disable API access or restrict API permissions to highly trusted accounts.",
"id": "GHSA-fcmw-wx57-9p75",
"modified": "2026-07-02T19:25:18Z",
"published": "2026-07-02T19:25:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mautic/mautic/security/advisories/GHSA-fcmw-wx57-9p75"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4776"
},
{
"type": "PACKAGE",
"url": "https://github.com/mautic/mautic"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Mautic has SQL Injection in API Contact Filtering"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.