Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The Control Panel requires authentication with minimal permissions in order to exploit. e.g. "view entries" permission to delete entries, or "view users" permission to delete users, etc. The REST and GraphQL API exploits do not require any permissions, however neither are enabled by default. In order to be exploited, they would need to be explicitly enabled with no authentication configured, and the specific resources enabled too. Sites that enable the REST or GraphQL API without authentication should treat patching as critical priority. This has been fixed in 5.73.20 and 6.13.0.
Published: 2026-04-22
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Destruction
Action: Immediate Patch
AI Analysis

Impact

Statamic is vulnerable because manipulating query parameters on Control Panel and REST API endpoints and arguments in GraphQL queries can trigger unsafe method invocation, resulting in deletion of content, assets, or user accounts. The Control Panel requires authentication, but only minimal permissions such as 'view entries' to delete entries or 'view users' to delete users are required. The REST and GraphQL API exploits do not require any permissions; however, they must be explicitly enabled with no authentication, and the specific resources must be enabled as well.

Affected Systems

Statamic CMS versions prior to 5.73.20 for the 5.x line and prior to 6.13.0 for the 6.x line are affected. The vulnerability applies to sites running these releases where Control Panel, REST API, or GraphQL API endpoints are exposed.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog, but the attack vector is clear: an attacker can manipulate query values or API calls to invoke arbitrary methods. Control Panel exploitation requires an authenticated user with minimal permissions, while REST and GraphQL exploitation is trivial if the endpoints are enabled without authentication. Given that these APIs are disabled by default, the risk is highest for sites that have them enabled or for sites that have been compromised and have legitimate credentials. Patching to the fixed releases is strongly recommended.

Generated by OpenCVE AI on April 27, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Statamic CMS to version 5.73.20 or higher (for 5.x) or 6.13.0 or higher (for 6.x).
  • If the REST or GraphQL API endpoints are enabled, disable them or enforce proper authentication and resource restrictions.
  • Review Control Panel user permissions and remove delete privileges for accounts that do not need them, ensuring the principle of least privilege is enforced.

Generated by OpenCVE AI on April 27, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4jjr-vmv7-wh4w Statamic: Unsafe method invocation via query value resolution allows data destruction
History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Statamic statamic
CPEs cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*
Vendors & Products Statamic statamic

Thu, 23 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Statamic
Statamic cms
Vendors & Products Statamic
Statamic cms

Wed, 22 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The Control Panel requires authentication with minimal permissions in order to exploit. e.g. "view entries" permission to delete entries, or "view users" permission to delete users, etc. The REST and GraphQL API exploits do not require any permissions, however neither are enabled by default. In order to be exploited, they would need to be explicitly enabled with no authentication configured, and the specific resources enabled too. Sites that enable the REST or GraphQL API without authentication should treat patching as critical priority. This has been fixed in 5.73.20 and 6.13.0.
Title Statamic: Unsafe method invocation via query value resolution allows data destruction
Weaknesses CWE-470
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Statamic Cms Statamic
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T13:56:09.912Z

Reserved: 2026-04-17T16:34:45.526Z

Link: CVE-2026-41175

cve-icon Vulnrichment

Updated: 2026-04-23T13:56:06.140Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T22:16:31.820

Modified: 2026-04-27T19:26:43.960

Link: CVE-2026-41175

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T18:42:00Z

Weaknesses