CVE-2026-9808

HIGH 7.1

CVSS Score

7.1

EPSS Score

0.0%

EPSS Percentile

9th

An authorization bypass vulnerability exists in the Mautic 7 API v2 endpoints (utilizing API Platform). Under certain conditions, roles configured with owner-scope restrictions (such as `viewown` or `editown`) are not properly enforced. This allows low-privilege authenticated API users to bypass ownership-logic controls and access or modify resources belonging to other users.

CWE	CWE-863
Published	May 29, 2026
Last Updated	May 29, 2026

Stay Ahead of the Next One

Get instant alerts for

Be the first to know when new high vulnerabilities are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/mautic/mautic/security/advisories/GHSA-2jrw-c95w-h43g

Credits

BiAyeNdGi (@zerlyer) @pavelkohout396 John Linhart (@escopecz) Patryk Gruszka (@patrykgruszka) Leuchtfeuer Digital Marketing (@Leuchtfeuer)