Improper access control in Mautic - CVE-2017-1000489
Published: January 19, 2021 / Updated: May 25, 2026
Mautic
Detailed vulnerability description
The vulnerability allows a remote user to bypass account disablement and log in.
The vulnerability exists due to improper access control in the third-party SSO plugin integration when processing SSO authentication for a disabled account using an email address. A remote user can authenticate via a linked email address to bypass account disablement and log in.
Only installations with an SSO plugin installed are vulnerable.