This vulnerability arises from inadequate validation of URLs provided by authenticated users in Mautic's Focus component. Exploiting this SSRF flaw allows an attacker to coerce the server into making HTTP requests to arbitrary locations, potentially exposing internal network information or accessing internal services not otherwise reachable. The affected versions include 4.0.0, 5.0.0, 6.0.0, and 7.0.0. The CVSS vector indicates network attack vector with low attack complexity and requiring privileges but no user interaction, impacting confidentiality and integrity with no impact on availability. There is currently no vendor advisory or patch available, and no public exploits are known.

An authenticated attacker can leverage this SSRF vulnerability to perform internal network reconnaissance or interact with internal or external systems via the hosting server. This may lead to unauthorized disclosure of sensitive information or manipulation of internal services. The impact affects confidentiality and integrity but does not affect availability. No known exploitation in the wild has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict authenticated user privileges to limit exposure and monitor for unusual outbound requests from the server. Avoid exposing the vulnerable component to untrusted users. Do not assume the vulnerability is mitigated without vendor confirmation.