CVE-2026-27593: Statamic's 'Choose Your Own Adventure' Password Reset
Vulnerability ID: CVE-2026-27593
CVSS Score: 9.3
Published: 2026-02-24
A critical vulnerability in Statamic CMS turns the password reset feature into an account takeover weapon. By injecting a malicious base URL into the reset request, attackers can force the system to email valid users a link that sends their reset token directly to the attacker's server.
TL;DR
Statamic CMS allowed users to define the _reset_url parameter in password reset requests without validation. Attackers can abuse this to redirect the password reset token to their own domain when a victim clicks the link in a legitimate email. This leads to full account takeover.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-640
- Attack Vector: Network
- CVSS Score: 9.3 (Critical)
- Exploit Status: PoC Available
- Impact: Account Takeover
- Platform: PHP / Laravel
Affected Systems
- Statamic CMS v5 < 5.73.10
- Statamic CMS v6 < 6.3.3
-
Statamic CMS: < 5.73.10 (Fixed in:
5.73.10) -
Statamic CMS: >= 6.0.0-alpha.1 < 6.3.3 (Fixed in:
6.3.3)
Code Analysis
Commit: 6fdd033
Final fix implementing strict domain validation via parse_url
... $urlDomain = parse_url($url, PHP_URL_HOST); ...
Commit: 78e63df
Initial insufficient fix using Str::startsWith
... Str::startsWith($url, $siteUrl) ...
Exploit Details
- GitHub Security Advisory: Advisory containing the logic for the bypass and exploit
Mitigation Strategies
- Update Statamic CMS to the latest patched version.
- Implement WAF rules to block the
_reset_urlparameter. - Configure
TrustProxiesmiddleware to prevent Host Header attacks.
Remediation Steps:
- For Statamic v5 users:
composer update statamic/cmsto reach v5.73.10. - For Statamic v6 users:
composer update statamic/cmsto reach v6.3.3. - Verify that
APP_URLin your.envfile matches your production domain.
References
Read the full report for CVE-2026-27593 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)