Skip to main content

Mautic Focus CVE-2026-9557

| EUVDEUVD-2026-33273 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-29 Mautic GHSA-jmv8-8j9j-rcpc
6.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 29, 2026 - 11:02 vuln.today

DescriptionCVE.org

A Server-Side Request Forgery (SSRF) vulnerability exists in Mautic's Focus component. Due to insufficient validation of user-supplied URLs, an authenticated user can trigger outbound HTTP requests from the hosting server, enabling internal network reconnaissance or forcing requests to arbitrary internal or external destinations.

AnalysisAI

Server-Side Request Forgery in Mautic's Focus component enables authenticated low-privileged users to coerce the hosting server into issuing arbitrary outbound HTTP requests to internal or external destinations. The CVSS scope change (S:C) confirms the vulnerability crosses the application boundary, making internal network reconnaissance viable from a standard marketing platform user account. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis, but the authenticated-yet-low-privilege requirement and changed scope make this a meaningful lateral movement enabler in enterprise Mautic deployments.

Technical ContextAI

Mautic is an open-source marketing automation platform; its Focus component is used to create targeted overlays and popups that can be embedded on external websites, requiring URL input from users. CWE-918 (Server-Side Request Forgery) describes a class of vulnerability where user-supplied URLs are passed to server-side HTTP clients without sufficient validation or allowlisting, causing the application server itself to act as a request proxy. In this case, insufficient sanitization of Focus component URLs allows the server's HTTP stack to reach RFC-1918 private address ranges, cloud metadata endpoints (e.g., 169.254.169.254), or arbitrary external hosts. The CVSS vector AV:N/AC:L/PR:L/UI:N/S:C reflects that the vulnerability is network-reachable, requires no complex preconditions, demands only a low-privilege authenticated session, needs no victim interaction, and can affect components outside the application's own security scope - consistent with classic SSRF enabling access to backend infrastructure not directly exposed to the internet. No CPE strings were provided, so exact affected version ranges are not independently confirmable from this dataset.

Affected ProductsAI

Mautic is the affected product, specifically its Focus component. The vendor-published security advisory is located at https://github.com/mautic/mautic/security/advisories/GHSA-jmv8-8j9j-rcpc and is the authoritative source for affected version ranges. No CPE strings were included in the provided data, and no explicit version range was specified in the CVE description, so affected versions cannot be independently confirmed from this dataset alone. Consumers should consult the GitHub advisory directly to determine which Mautic releases are vulnerable and which contain the fix.

RemediationAI

The primary remediation is to apply the patch referenced in Mautic's security advisory at https://github.com/mautic/mautic/security/advisories/GHSA-jmv8-8j9j-rcpc. An exact fixed version number was not available in the provided data - consult the advisory for the precise patched release and upgrade to it. If patching is not immediately possible, implement strict server-side egress filtering to block outbound requests from the Mautic application server to RFC-1918 private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and link-local ranges (169.254.0.0/16) using a firewall or network policy; this reduces SSRF pivot risk but does not eliminate the vulnerability and will not block requests to external attacker-controlled hosts. Additionally, restrict access to the Focus component to only trusted user roles if Mautic's permission model supports that, reducing the population of accounts that can trigger the issue. Cloud-hosted deployments should block access to instance metadata endpoints at the network or IAM level as a defense-in-depth measure against credential theft via SSRF.

Share

CVE-2026-9557 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy