software

CVE-2026-3105: Mautic SQLi: When 'Order By' Becomes 'Pwned By'

Published: (February 25, 2026 at 04:40 PM EST)
2 min read
Source: Dev.to

Source: Dev.to

Overview

Mautic, the open‑source marketing automation platform, recently patched a high‑severity SQL Injection vulnerability (CVE‑2026‑3105). The flaw allowed attackers to manipulate the order‑by direction parameter in the API, injecting arbitrary SQL commands and exfiltrating sensitive marketing data.

  • Vulnerability ID: CVE‑2026‑3105
  • CWE ID: CWE‑89 (SQL Injection)
  • CVSS Score: 7.6 (High)
  • Published: 2026‑02‑25
  • Attack Vector: Network (API)
  • Privileges Required: Low (Authenticated API User)
  • Exploit Status: PoC Available (Theoretical)
  • Confidentiality Impact: High

Technical Details

The API’s sort direction parameter (dir) was not validated to restrict values to ASC or DESC. An attacker could supply a crafted payload such as:

ASC; SELECT ... --

This payload is concatenated directly into the ORDER BY clause, resulting in a Blind SQL Injection that can be used to:

  • Enumerate database schema
  • Extract marketing contact information
  • Execute time‑based or error‑based inference attacks

The issue demonstrates why strict input validation (allow‑listing) remains essential, even when using modern ORM layers.

Affected Versions

Mautic Version RangeFixed In
>= 2.10.0 = 5.0.0 = 6.0.0 = 7.0.0 < 7.0.17.0.1

Remediation Steps

  1. Identify your current Mautic version.
  2. Backup both the database and codebase.
  3. Apply the vendor patch by upgrading to one of the fixed releases (4.4.19, 5.2.10, 6.0.8, or 7.0.1).
  4. Verify the update by checking the version displayed in the footer or the app/version.txt file.
  5. Review API logs for any past requests containing suspicious patterns such as SELECT, SLEEP, or parentheses in the dir parameter.

Mitigation Recommendations

  • Input Validation (Allow‑listing): Restrict the dir parameter to the explicit values ASC and DESC.
  • WAF Filtering: Deploy rules that block SQL meta‑characters in API query strings.
  • Database Least Privilege: Ensure the Mautic database user has only the permissions required for its operations.

References

  • Mautic Security Advisory: GHSA‑r5j5‑q42h‑fc93
  • NVD Entry for CVE‑2026‑3105

For a full technical analysis, including interactive diagrams, refer to the complete report on the original website.

0 views
#software #programming #community
View source
Share:
Back to Blog

Related posts

Read more »

[Boost]

Profile !Vincent A. Cicirellohttps://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaw...