CVE-2026-28424: Statamic CMS Information Disclosure via Missing Authorization in Control Panel

#security #cve #cybersecurity

Statamic CMS Information Disclosure via Missing Authorization in Control Panel

Vulnerability ID: CVE-2026-28424
CVSS Score: 6.5
Published: 2026-03-01

A missing authorization vulnerability (CWE-862) in Statamic CMS allows authenticated users with Control Panel access to retrieve sensitive information, including email addresses of all users and potentially system configuration secrets. The flaw exists in the user selection fieldtype endpoint and the Antlers templating engine, which failed to adequately sandbox execution or filter data based on permissions.

TL;DR

Authenticated low-privilege users can access the email addresses of all system users via the Control Panel API, bypassing the 'view users' permission. Additionally, insufficent sandboxing in the Antlers template engine could allow access to sensitive configuration variables.

Technical Details

CWE ID: CWE-862
Vulnerability Type: Missing Authorization
CVSS Score: 6.5 (Medium)
Attack Vector: Network (Authenticated)
Impact: Information Disclosure
EPSS Score: 0.00027 (~7%)

Affected Systems

Statamic CMS v5 < 5.73.11
Statamic CMS v6 < 6.4.0
Statamic CMS: < 5.73.11 (Fixed in: 5.73.11)
Statamic CMS: >= 6.0.0 < 6.4.0 (Fixed in: 6.4.0)

Mitigation Strategies

Update Statamic CMS to the latest stable release.
Restrict 'Editor' and 'Author' permissions strictly to necessary collections.
Audit Antlers templates for usage of raw config access.
Implement WAF rules to block suspicious JSON queries if patching is delayed.

Remediation Steps:

For Statamic v5 users: Update to version 5.73.11 or greater immediately.
For Statamic v6 users: Update to version 6.4.0 or greater immediately.
After updating, run php artisan view:clear to flush compiled templates.
Verify the statamic.system.view_config_allowlist setting in config/statamic/system.php to ensure it only exposes safe keys.