Primary

Context

Mautic HTTP Basic Authentication Improper Authorization Vulnerability Allowing Unauthorized Access to Report Data

Vulnerability

Patched

An authorization vulnerability has been identified in Mautic's HTTP Basic Authentication implementation, specifically in versions greater than 1.0.1. This vulnerability allows any authenticated user, regardless of their assigned roles or permissions, to access all reports and associated data via the API. This behavior bypasses the intended access controls that should limit access to non-System Reports based on specific reporting permissions.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive report data, allowing users to view all reports instead of being restricted to their own or those they have permission to access.

Remediation

Users are advised to update to Mautic version 5.2.3 or later. Alternatively, the API can be disabled in the Mautic settings.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

5.4

remediation

8.3

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

5.4

remediation

8.3

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mautic HTTP Basic Authentication Improper Authorization Vulnerability Allowing Unauthorized Access to Report Data

Vulnerability

Impact

Remediation

Affected Products

Mautic

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating