Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-9559

CVE-2026-9559: Mautic Path Traversal Vulnerability

CVE-2026-9559 is a path traversal flaw in Mautic 7's campaign import feature that enables authenticated attackers to write arbitrary PHP files and achieve remote code execution. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-9559 Overview

CVE-2026-9559 is a path traversal vulnerability [CWE-22] in the campaign import feature of Mautic 7. The flaw resides in the ZIP extraction logic used when processing uploaded campaign archives. Insufficient validation of archive entry paths allows file names to escape the intended temporary directory. An authenticated user holding the campaign:imports:create permission can write arbitrary PHP files into sensitive application directories. Overwriting internal configuration files or cache components yields Remote Code Execution (RCE) under the web server account.

Critical Impact

Authenticated attackers with campaign import privileges can achieve Remote Code Execution by writing PHP files outside the temporary extraction directory.

Affected Products

  • Mautic 7 marketing automation platform
  • Installations exposing the campaign import feature to non-administrative users
  • Deployments granting the campaign:imports:create permission to standard roles

Discovery Timeline

  • 2026-05-29 - CVE-2026-9559 published to NVD
  • 2026-05-29 - Last updated in NVD database

Technical Details for CVE-2026-9559

Vulnerability Analysis

The vulnerability stems from improper validation of file paths inside ZIP archives during campaign import. Mautic 7 accepts a ZIP file from authorized users and extracts its contents into a temporary working directory. The extraction routine does not normalize or constrain entry names against the destination root. Crafted archive entries containing ../ traversal sequences resolve to locations outside the intended directory.

Because the web server process must write to application paths to persist imported assets, attackers can target writable directories such as cache, configuration, or bundle paths. Dropping a PHP file into a path that is loaded by the application produces code execution in the context of the PHP-FPM or web server user. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).

Root Cause

The import handler iterates archive entries and writes each one to disk using the entry name supplied by the ZIP file. The code path does not call a canonicalization routine, nor does it verify that the resolved destination remains within the temporary extraction directory. Standard ZIP libraries surface the raw entry name, leaving the validation responsibility to the caller. Mautic's caller-side check is absent or bypassable, enabling the traversal.

Attack Vector

Exploitation requires an authenticated session with the campaign:imports:create privilege. The attacker constructs a ZIP archive containing a PHP payload with a relative path such as ../../../../var/www/html/app/cache/prod/exploit.php. After uploading the archive through the campaign import endpoint, the extraction routine writes the payload to the traversed location. The attacker then requests the dropped file, or triggers a code path that loads cached/configuration files, to execute arbitrary PHP. The scope change reflected in the CVSS vector indicates RCE under the web server account can reach resources beyond the Mautic application boundary.

No public proof-of-concept code is currently referenced for this CVE. See the GitHub Security Advisory for vendor-supplied technical details.

Detection Methods for CVE-2026-9559

Indicators of Compromise

  • ZIP archives uploaded to the campaign import endpoint containing entry names with ../ or absolute path sequences
  • Newly created .php files in cache, configuration, or bundle directories outside the standard import temp path
  • Unexpected modification timestamps on Mautic cache files such as app/cache/prod/ artifacts
  • Web server processes spawning shells, curl, wget, or outbound connections following a campaign import event

Detection Strategies

  • Inspect Mautic audit logs for campaign:imports:create activity correlated with file system writes outside the intended temporary directory
  • Apply file integrity monitoring on the Mautic webroot, app/cache, and app/config paths to flag unauthorized PHP file creation
  • Parse HTTP access logs for POST requests to the campaign import controller followed by GET requests to unusual PHP endpoints
  • Scan uploaded archives offline for entries containing path traversal sequences before extraction

Monitoring Recommendations

  • Forward Mautic application logs and web server logs to a centralized log platform for correlation against import events
  • Alert on PHP-FPM or Apache child processes executing system binaries such as sh, bash, python, or nc
  • Track outbound network connections from the web server account to non-allowlisted destinations

How to Mitigate CVE-2026-9559

Immediate Actions Required

  • Upgrade Mautic 7 to the patched release identified in the GitHub Security Advisory GHSA-6r9h-4h75-7q4x
  • Audit role assignments and remove the campaign:imports:create permission from any role that does not require it
  • Review the Mautic webroot, cache, and configuration directories for unexpected PHP files and remove any unauthorized artifacts
  • Rotate credentials, API tokens, and secrets stored within the Mautic configuration if compromise is suspected

Patch Information

Refer to the Mautic security advisory GHSA-6r9h-4h75-7q4x for the fixed version and upgrade instructions. The fix introduces strict path normalization and validation that confines extracted archive entries to the designated temporary directory.

Workarounds

  • Restrict the campaign import feature to a small set of trusted administrators until the patch is applied
  • Place the Mautic application behind a Web Application Firewall (WAF) rule that blocks uploads of ZIP archives containing traversal sequences
  • Enforce filesystem permissions so the web server user cannot write to executable application paths such as bundle and cache directories
  • Disable the campaign import endpoint at the web server or reverse proxy level if the feature is not in active use
bash
# Example nginx restriction to block the campaign import endpoint
location ~* /s/campaigns/import {
    deny all;
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne