Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.21 and 6.15.0, responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-up credential-based attacks. This vulnerability is fixed in 5.73.21 and 6.15.0.
Published: 2026-05-12
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs when the forgotten‑password endpoints return different responses based on whether the supplied email address belongs to a registered user. This information disclosure allows an unauthenticated attacker to enumerate valid accounts, which can then be targeted with credential‑based attacks. The flaw falls under CWE‑204.

Affected Systems

Affected releases belong to the Statamic content‑management system. Versions earlier than 5.73.21 and 6.15.0 are impacted because they exposed the existence of accounts through the password‑reset workflow. All other Statamic versions are unaffected.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk. The EPSS is not available, and the vulnerability is not listed in CISA KEV, suggesting limited exploitation data. An attacker would simply send unauthenticated HTTP requests to the forgot‑password endpoint and parse the differing responses. No authentication or privileged access is required to perform the enumeration.

Generated by OpenCVE AI on May 12, 2026 at 23:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade your Statamic installation to version 5.73.21 or later, or 6.15.0 or later, which removes the information‑leaking responses.
  • If an immediate upgrade is not feasible, modify the password‑reset logic to return a generic success message for every email address, eliminating the differentiation between existing and non‑existing accounts.
  • Apply rate limiting and monitoring to the forgot‑password endpoint to reduce the effectiveness of automated enumeration attempts.

Generated by OpenCVE AI on May 12, 2026 at 23:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m24v-f7g5-gq67 Statamic CMS vulnerable to email enumeration via forgot password endpoint
History

Wed, 13 May 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Statamic
Statamic cms
Vendors & Products Statamic
Statamic cms

Tue, 12 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.21 and 6.15.0, responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-up credential-based attacks. This vulnerability is fixed in 5.73.21 and 6.15.0.
Title Statamic: Email enumeration via forgot password endpoint
Weaknesses CWE-204
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Statamic Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T21:30:36.390Z

Reserved: 2026-05-05T19:00:06.021Z

Link: CVE-2026-44306

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T22:16:37.413

Modified: 2026-05-12T22:16:37.413

Link: CVE-2026-44306

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T00:15:27Z

Weaknesses