CVE-2026-3105: Mautic SQL Injection via API Sorting Parameters

Mautic SQLi: When “Order By” Becomes “Pwned By”

Mautic has addressed a high-severity SQL Injection vulnerability, tracked as CVE-2026-3105, which carries a CVSS score of 7.6. The flaw stems from a failure to validate the sort direction parameter in API requests, enabling blind SQL injection.

Why This Matters

While modern Object-Relational Mapping (ORM) systems are often perceived as inherently safe against SQL injection, this vulnerability demonstrates that even “Order By” clauses can become attack vectors if input is directly appended to the query structure. The technical reality is that incomplete input validation on sort directions (ASC/DESC) can bypass standard protections, turning a mundane API feature into a high-risk data exfiltration pipeline for sensitive marketing data.

Key Insights

• CVSS 7.6 high-severity vulnerability (CVE-2026-3105) published in 2026 affects Mautic’s API infrastructure by failing to validate sort directions.
• Blind SQL Injection concept: Attackers use parameters like ‘SLEEP’ or parentheses in the ‘dir’ parameter to exfiltrate data without direct error feedback.
• The vulnerability impacts multiple Mautic versions including 2.10.0 through 7.0.0, requiring immediate updates to versions 4.4.19, 5.2.10, 6.0.8, or 7.0.1.

Practical Applications

• Mautic Marketing Automation: Update to fixed versions (e.g., 7.0.1) and implement database least privilege to limit potential exfiltration. Pitfall: Relying solely on ORM defaults without explicit allowlisting of sort directions leads to query manipulation.
• API Security Auditing: Inspect logs for requests containing SQL keywords like ‘SELECT’ or ‘SLEEP’ in the ‘dir’ parameter. Pitfall: Neglecting to monitor non-standard SQL injection points like sorting clauses results in undetected data breaches.

References:

• https://dev.to/cverports/cve-2026-3105-mautic-sqli-when-order-by-becomes-pwned-by-1ci6