CVE-2026-3105 Overview
CVE-2026-3105 is a SQL injection vulnerability affecting the Mautic marketing automation platform. The vulnerability exists in the API endpoint used for retrieving contact activities, specifically within the query construction for the Contact Activity timeline. The parameter responsible for determining the sort direction was not strictly validated against an allowlist, potentially allowing authenticated users to inject arbitrary SQL commands via the API.
Critical Impact
Authenticated attackers can exploit this SQL injection vulnerability to extract sensitive data from the database, modify records, or potentially escalate privileges within the Mautic application.
Affected Products
- Mautic versions prior to 4.4.19
- Mautic versions prior to 5.2.10
- Mautic versions prior to 6.0.8
- Mautic versions prior to 7.0.1
Discovery Timeline
- February 24, 2026 - CVE-2026-3105 published to NVD
- February 24, 2026 - Last updated in NVD database
Technical Details for CVE-2026-3105
Vulnerability Analysis
This SQL injection vulnerability (CWE-89) exists in the Contact Activity timeline API endpoint within Mautic. The root issue stems from improper input validation where the sort direction parameter is not validated against a strict allowlist of acceptable values (e.g., ASC or DESC). This oversight allows authenticated users to append or inject arbitrary SQL syntax into the dynamically constructed query.
SQL injection vulnerabilities of this nature can be particularly dangerous in marketing automation platforms like Mautic, which typically store extensive contact information including personal data, email addresses, and behavioral tracking information. Successful exploitation could lead to unauthorized data access, data manipulation, or in severe cases, complete database compromise.
Root Cause
The vulnerability originates from inadequate input sanitization in the query construction logic for the Contact Activity timeline feature. The sort direction parameter, which should only accept predefined values like ASC or DESC, lacks proper allowlist validation. Instead of restricting input to these safe values, the application directly incorporates user-supplied input into the SQL query string, creating an injection point.
Attack Vector
The attack is network-based and requires the attacker to have valid authentication credentials for the Mautic instance. Once authenticated, an attacker can craft malicious API requests to the Contact Activity endpoint, injecting SQL commands through the sort direction parameter. The low attack complexity combined with no user interaction requirements makes this vulnerability relatively straightforward to exploit for authenticated users.
The exploitation pathway involves sending specially crafted requests to the vulnerable API endpoint where the sort direction parameter contains SQL injection payloads. Due to the insufficient validation, these payloads are incorporated into the database query and executed, potentially allowing attackers to read sensitive data, modify database contents, or enumerate database structure.
Detection Methods for CVE-2026-3105
Indicators of Compromise
- Unusual API requests to the Contact Activity timeline endpoint containing SQL syntax in sort parameters
- Database query logs showing unexpected SQL commands or UNION-based queries in activity timeline requests
- Error logs containing SQL syntax errors or database exceptions from the Contact Activity API
- Anomalous data access patterns indicating bulk extraction of contact information
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in API requests
- Monitor API logs for requests to Contact Activity endpoints with non-standard sort direction values
- Deploy database activity monitoring to identify suspicious query patterns or unauthorized data access
- Review Mautic application logs for SQL-related errors or exceptions from authenticated users
Monitoring Recommendations
- Enable detailed logging for all API endpoints, particularly those handling Contact Activity data
- Configure alerts for SQL injection signature patterns in inbound API requests
- Implement rate limiting on API endpoints to slow potential automated exploitation attempts
- Regularly audit API access logs for authenticated users accessing Contact Activity endpoints with unusual parameters
How to Mitigate CVE-2026-3105
Immediate Actions Required
- Update Mautic to version 4.4.19, 5.2.10, 6.0.8, 7.0.1 or later immediately
- Review API access logs for any signs of exploitation attempts before patching
- Audit database for any unexpected modifications or data access that may indicate prior compromise
- Rotate database credentials if exploitation is suspected
Patch Information
Mautic has released security updates addressing this SQL injection vulnerability. Organizations should update to one of the following patched versions based on their current major version:
- Version 4.4.19 for 4.x installations
- Version 5.2.10 for 5.x installations
- Version 6.0.8 for 6.x installations
- Version 7.0.1 for 7.x installations
For additional details, refer to the GitHub Security Advisory. For security inquiries, contact security@mautic.org.
Workarounds
- No official workarounds are available according to the vendor advisory
- As a temporary measure, restrict API access to trusted IP addresses only
- Implement additional WAF rules to filter SQL injection patterns on the affected endpoints
- Consider temporarily disabling API access to the Contact Activity endpoint if not critical to operations
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
