Mautic Authorization Bypass Vulnerability in API v2 Endpoints

A vulnerability allowing authorization bypass has been identified in Mautic version 7 API v2 endpoints, which use API Platform. This issue arises under certain conditions where roles with owner-scope restrictions, such as 'viewown' or 'editown', are not properly enforced. As a result, low-privilege authenticated API users can bypass ownership controls and access or modify resources belonging to other users. Affected resources include reports, contacts, and companies.

Impact

The vulnerability allows authenticated API users with limited roles to read or modify resources they do not own, bypassing tenant and privilege boundaries on the platform.

Remediation

Users can upgrade to Mautic version 7.1.2 to address this vulnerability. For those using Mautic 6.x, 5.x, or 4.x, this vulnerability does not apply. If an immediate upgrade is not possible, API credentials can be temporarily revoked or access permissions narrowed for users with roles that depend on owner-scope permissions.