CVE-2024-47056: 
PHP vulnerability analysis and mitigation

A security vulnerability (CVE-2024-47056) has been identified in Mautic where sensitive .env configuration files may be directly accessible via a web browser. The vulnerability was disclosed on May 28, 2025, affecting Mautic versions above 4.4. This exposure could lead to the disclosure of sensitive information, including database credentials, API keys, and other critical system configurations (Mautic Advisory).

The vulnerability stems from missing web server configurations that should restrict access to .env files. Due to this misconfiguration, an unauthenticated attacker can directly access the .env file through a web browser by navigating to its URL. The vulnerability has been assigned a CVSS v3.1 base score of 5.1 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L. It is classified under CWE-312 (Cleartext Storage of Sensitive Information) (Mautic Advisory).

The vulnerability could result in the disclosure of sensitive information stored in the .env configuration files, including database credentials, API keys, and other critical system configurations. This exposure could potentially lead to unauthorized access to system resources and compromise of the application's security (Mautic Advisory).

Users are advised to update to the patched versions: 6.0.2, 5.2.6, or 4.4.16. For Apache users, ensure the web server is configured to respect .htaccess files. Nginx users must manually add a configuration block to deny access to .env files using the following configuration: 'location ~ /.env { deny all; }' and restart the Nginx service. By default, Mautic does not use .env files for production data (Mautic Advisory).