Analyst readout for executives and security teams
Plain-English summary
Mautic’s Focus component can be abused by a logged-in user to make the Mautic server send HTTP requests chosen by that user. This could expose internal network details or cause requests to internal or external systems. It is medium severity because authentication is required and availability impact is not reported.
Executive priority
Treat this as a moderate-priority application security issue. It is not reported as exploited, but it can turn a compromised or low-privilege Mautic account into a path for internal network probing. Prioritize internet-facing or broadly accessible Mautic instances first.
Technical view
CVE-2026-9557 is an SSRF issue in mautic/core Focus caused by insufficient validation of user-supplied URLs. CVSS 3.1 is 6.4: network attack vector, low complexity, low privileges required, no user interaction, changed scope, low confidentiality and integrity impact, no availability impact.
Likely exposure
Organizations running affected mautic/core versions 4.0.0, 5.0.0, 6.0.0, or 7.0.0 may be exposed if authenticated users can access the Focus component. Evidence does not identify unauthenticated exposure or specific hosted deployment conditions.
Exploitation context
The source bundle does not report active exploitation, public exploit availability, or CISA KEV listing. The main risk is abuse by an authenticated account to make server-originated HTTP requests that may reach internal services not directly exposed to the attacker.
Researcher notes
The record identifies CWE-918 SSRF in Focus URL validation and lists mautic/core 4.0.0, 5.0.0, 6.0.0, and 7.0.0. The provided evidence does not include exploit details, patched release numbers, or concrete configuration-based mitigations beyond consulting the vendor advisory.
Mitigation direction
- Check the Mautic GitHub advisory for patched versions and upgrade guidance.
- Inventory Mautic deployments and confirm whether the Focus component is enabled.
- Limit Mautic server outbound HTTP access to required destinations where operationally feasible.
- Review authenticated user access and remove unnecessary Focus-related privileges.
- Monitor vendor guidance for updated remediation details.
Validation and detection
- Confirm deployed mautic/core version against the advisory’s affected versions.
- Review Mautic user roles for accounts able to access Focus functionality.
- Inspect server egress logs for unusual Focus-related outbound HTTP destinations.
- Validate network controls prevent Mautic from reaching sensitive internal services.
- Track remediation status against the official Mautic security advisory.
Public sources used
Based on public source material and reviewed before publication.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-918: Information exposure and cloud metadata lookup
Information exposure and SSRF weaknesses can make discovery, cloud metadata, and credential material review relevant. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCloud metadata behavior lookup
The CVE wording references SSRF or metadata access, so cloud discovery and credential material review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2026-9557 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 6.4 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N 3.1 2.7 Mautic Vulnerability scoring details
Base CVSS 3.1 score
6.4 MediumVector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
- CVE reserved CVE Program
The CVE ID was reserved by the assigning CNA.
- CVE published CVE Program
The CVE record was published.
- CVE updated CVE Program
The CVE record metadata indicates this as the latest update time.
Source materials
- CVE List V5 source CVE List V5
- https://github.com/mautic/mautic/security/advisories/GHSA-jmv8-8j9j-rcpc CVE reference, Mautic
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Server-Side Request Forgery (SSRF)
Server-Side Request Forgery (SSRF) represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.