Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other configured resources. Depending on the resource, this could expose titles, custom field values, entry content, asset metadata, and the existence of users, roles, and groups. No data could be modified. This has been fixed in 5.73.23 and 6.20.0.
Published: 2026-06-19
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Statamic CMS prior to versions 5.73.23 and 6.20.0 had an authorization flaw in the Control Panel fieldtype endpoints; an authenticated user with Control Panel access could retrieve metadata and content for resources they were not permitted to view, exposing entry titles, custom fields, asset details, and the existence of users, roles, and groups. The vulnerability allowed purely read‑only disclosure; no modification of data was possible.

Affected Systems

The affected product is Statamic CMS, versions earlier than 5.73.23 for the 5.x series and earlier than 6.20.0 for the 6.x series; any installation that uses authenticated Control Panel users and these fieldtype endpoints is at risk.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact with low complexity; EPSS is not available, so exploitation probability is uncertain, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an authenticated Control Panel user; an internal attacker or compromised account could leverage legitimate credentials to access restricted resources. While the flaw is limited to read‑only disclosure, the exposed information could assist further attacks, such as credential enumeration or profiling of the organization.

Generated by OpenCVE AI on June 19, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Statamic CMS to at least 5.73.23 or 6.20.0, whichever applies.
  • Restrict Control Panel user roles and enforce least privilege access policies.
  • Conduct regular audits of user access and monitor for anomalous activity.

Generated by OpenCVE AI on June 19, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Statamic
Statamic cms
Vendors & Products Statamic
Statamic cms

Fri, 19 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other configured resources. Depending on the resource, this could expose titles, custom field values, entry content, asset metadata, and the existence of users, roles, and groups. No data could be modified. This has been fixed in 5.73.23 and 6.20.0.
Title Statamic CMS missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources
Weaknesses CWE-200
CWE-862
CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Statamic Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-19T18:11:53.331Z

Reserved: 2026-05-28T20:07:58.862Z

Link: CVE-2026-49288

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:30:04Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-862

    Missing Authorization

  • CWE-863

    Incorrect Authorization