Description
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 and 6.4.0.
Published: 2026-02-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Disclosure of User Email Addresses
Action: Patch
AI Analysis

Impact

Statamic CMS exposes email addresses of control panel users through the user fieldtype’s data endpoint even to those who lack the "view users" permission, resulting in privacy violations. The flaw is an access‑control weakness (CWE-862) that allows malicious users to retrieve sensitive information that should be protected.

Affected Systems

All Statamic CMS installations running a version earlier than 5.73.11 or 6.4.0 are vulnerable. Upgrading to 5.73.11 or 6.4.0 eliminates the missing authorization check and resolves the issue.

Risk and Exploitability

The CVSS score of 6.5 indicates a Medium severity, while the EPSS score of <1% suggests the likelihood of exploitation is low. The vulnerability is not listed in CISA KEV. Based on the description, it is inferred that attackers could exploit the flaw by sending requests to the API endpoint from any network position that can reach the control panel, provided they are not authenticated with the requisite permission.

Generated by OpenCVE AI on April 18, 2026 at 10:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Statamic CMS to version 5.73.11 or 6.4.0 to apply the vendor patch that implements the missing authorization check.
  • Restrict network access to the control panel API or limit the endpoint to trusted hosts so that only authorized administrators can reach it until the patch can be deployed.
  • Ensure that only privileged roles are granted the "view users" permission and remove it from any roles that should not see user email addresses.

Generated by OpenCVE AI on April 18, 2026 at 10:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w878-f8c6-7r63 Statamic's missing authorization allows access to email addresses
History

Thu, 05 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Statamic statamic
CPEs cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*
Vendors & Products Statamic statamic

Mon, 02 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Statamic
Statamic cms
Vendors & Products Statamic
Statamic cms

Fri, 27 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 and 6.4.0.
Title Statamic's missing authorization allows access to email addresses
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Statamic Cms Statamic
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T19:36:06.660Z

Reserved: 2026-02-27T15:54:05.136Z

Link: CVE-2026-28424

cve-icon Vulnrichment

Updated: 2026-03-02T19:36:00.974Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T23:16:05.447

Modified: 2026-03-05T14:46:10.460

Link: CVE-2026-28424

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:15:25Z

Weaknesses