CVE-2024-47055: 
PHP vulnerability analysis and mitigation

A security vulnerability (CVE-2024-47055) was discovered in Mautic's segment cloning functionality, disclosed on May 28, 2025. The vulnerability affects Mautic versions above 5.0 up to versions 5.2.6 and 6.0.2, where it was patched. This vulnerability allows any authenticated user to clone segments without proper authorization checks (GitHub Advisory, Wiz Report).

The vulnerability is classified as an Insecure Direct Object Reference (IDOR) and Missing Authorization issue within the cloneAction of the segment management functionality. It has been assigned a CVSS v3.1 base score of 4.3 (Medium), with the vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. This indicates that the vulnerability requires network access, has low attack complexity, requires low privileges, needs no user interaction, has unchanged scope, and results in no confidentiality impact, low integrity impact, and no availability impact (GitHub Advisory, Wiz Report).

The vulnerability enables authenticated users to bypass intended permission restrictions and clone segments even when they lack the necessary permissions to create new ones. This creates a potential security breach in the permission hierarchy of the application (Wiz Report).

Users are advised to update Mautic to version 5.2.6 or 6.0.2, which implement proper authorization checks for the cloneAction within the ListController.php. The update ensures that users attempting to clone segments possess the appropriate creation permissions. No alternative workarounds are available for this vulnerability (GitHub Advisory).