Description
Statmatic is a Laravel and Git powered content management system (CMS). Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensitive operations and, depending on the user’s existing permissions, may lead to privilege escalation. This has been fixed in 6.4.0.
Published: 2026-02-27
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

Statamic CMS versions between 6.0.0 and 6.3.x contain a flaw that allows an authenticated Control Panel user to bypass an intended verification step and gain higher privileges than originally granted. This is a CWE‑287 (Improper Authentication) vulnerability, stemming from improper authentication controls and can give the attacker access to sensitive operations, potentially compromising the entire site or its data. The pre‑existing user credentials are sufficient to exploit the flaw, so any user who can log into the Control Panel is at risk.

Affected Systems

The impacted product is Statamic CMS. Users running the software versions 6.0.0 through 6.3.x (inclusive) are vulnerable. All installations of these versions that have a Control Panel layer are susceptible until the update to 6.4.0 is applied.

Risk and Exploitability

With a CVSS score of 8.8, the vulnerability is classified as high severity, yet the EPSS score is below 1%, indicating a low probability of exploitation in the wild so far. The flaw is not yet listed in the CISA KEV catalog, but it remains a critical concern for administrators who have active Control Panel users. Exploitation requires that the attacker gains entry to the Control Panel—either through legitimate credentials or compromised user accounts—then performs the privilege escalation by bypassing the expected verification step. Because the bug affects only authenticated users, the risk is confined to existing accounts and requires that the product be upgraded or otherwise mitigated to eliminate the elevation pathway.

Generated by OpenCVE AI on April 18, 2026 at 10:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Statamic CMS to version 6.4.0 or later to apply the fixed authentication mechanism.
  • If an upgrade is not immediately possible, restrict the permissions of existing Control Panel users to the minimum required for their role.
  • Monitor Control Panel activity for signs of unauthorized privilege escalation and verify that authentication and session handling remain intact until the corrective update is deployed.

Generated by OpenCVE AI on April 18, 2026 at 10:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rw9x-pxqx-q789 Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass
History

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Statamic statamic
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*
Vendors & Products Statamic statamic

Mon, 02 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Statamic
Statamic cms
Vendors & Products Statamic
Statamic cms

Fri, 27 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description Statmatic is a Laravel and Git powered content management system (CMS). Starting in version 6.0.0 and prior to version 6.4.0, Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensitive operations and, depending on the user’s existing permissions, may lead to privilege escalation. This has been fixed in 6.4.0.
Title Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Statamic Cms Statamic
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T22:03:16.580Z

Reserved: 2026-02-25T03:11:36.689Z

Link: CVE-2026-27939

cve-icon Vulnrichment

Updated: 2026-03-02T22:03:13.621Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T22:16:22.993

Modified: 2026-03-10T15:20:19.057

Link: CVE-2026-27939

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:15:25Z

Weaknesses