DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27939: Statamic CMS Privilege Escalation via Antlers Sandbox Escape and Session Bypass

#security #cve #cybersecurity

Statamic CMS Privilege Escalation via Antlers Sandbox Escape and Session Bypass

Vulnerability ID: CVE-2026-27939
CVSS Score: 8.8
Published: 2026-02-27

A critical privilege escalation vulnerability exists in Statamic CMS versions prior to 6.4.0, allowing authenticated Control Panel users to bypass the 'Elevated Session' (sudo mode) mechanism. The vulnerability stems from a combination of flaws, primarily a sandbox escape in the Antlers template engine that exposes the application configuration—including the Laravel APP_KEY. Successful exploitation allows attackers to forge session cookies, execute arbitrary code, or manipulate administrative state without providing the required password verification.

TL;DR

Authenticated attackers can bypass the Statamic Control Panel's password verification prompt (sudo mode) to execute administrative actions. The flaw involves leaking the APP_KEY via the Antlers template engine, enabling session forgery and full system compromise.

⚠️ Exploit Status: POC

Technical Details

  • CWE-ID: CWE-287 (Improper Authentication)
  • CVSS v3.1: 8.8 (High)
  • Attack Vector: Network
  • Privileges Required: Low (Authenticated User)
  • Impact: Full System Compromise
  • Exploit Status: PoC Available

Affected Systems

  • Statamic CMS v6.0.0 - v6.3.9
  • Statamic CMS v5.x (Prior to Feb 2026 patches)
  • Statamic CMS: >= 6.0.0, < 6.4.0 (Fixed in: 6.4.0)
  • Statamic CMS: 5.x (Fixed in: 5.x (Latest Patch))

Mitigation Strategies

  • Upgrade Statamic to version 6.4.0 or later.
  • Rotate the Laravel APP_KEY immediately.
  • Restrict Control Panel access to trusted IP addresses where possible.
  • Audit Antlers templates for usage of raw PHP or config access.

Remediation Steps:

  1. Run composer update statamic/cms --with-dependencies to fetch the latest version.
  2. Verify the installed version is >= 6.4.0 using php artisan statamic:version.
  3. Run php artisan key:generate to invalidate potentially compromised session cookies.
  4. Clear the application cache using php artisan cache:clear and php artisan view:clear.

References

Read the full report for CVE-2026-27939 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)