CVE-2026-28424 Overview
CVE-2026-28424 is an information disclosure vulnerability affecting Statamic, a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were improperly exposed in API responses from the user fieldtype's data endpoint. Control panel users who did not have the "view users" permission could access email addresses that should have been restricted, violating the principle of least privilege.
Critical Impact
Unauthorized exposure of user email addresses to control panel users lacking proper permissions, enabling potential privacy violations and targeted phishing attacks against CMS users.
Affected Products
- Statamic CMS versions prior to 5.73.11
- Statamic CMS versions prior to 6.4.0
Discovery Timeline
- 2026-02-27 - CVE-2026-28424 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28424
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization), which occurs when the software does not perform an authorization check when an actor attempts to access a resource or perform an action. In this case, the user fieldtype's data endpoint in the Statamic control panel failed to properly enforce the "view users" permission before including user email addresses in API responses.
The flaw allows authenticated control panel users without explicit "view users" permission to enumerate user email addresses through normal API interactions with the user fieldtype. While the attacker must have some level of authenticated access to the control panel, they can exceed their authorized scope by accessing sensitive user data.
Root Cause
The root cause is insufficient authorization enforcement in the user fieldtype data endpoint. When the endpoint processes requests and constructs response objects, it includes user email addresses regardless of whether the requesting user has the "view users" permission. The authorization check was either missing entirely or improperly implemented, allowing the data to leak to unauthorized but authenticated users.
Attack Vector
The vulnerability is exploitable over the network by any authenticated control panel user. An attacker with limited control panel access can send requests to the user fieldtype data endpoint and receive responses containing email addresses of other users. This requires low attack complexity since no special conditions or race conditions are needed—simply accessing the endpoint with valid credentials is sufficient.
The attack scenario involves:
- An attacker gains access to a Statamic control panel account with limited permissions
- The attacker navigates to or programmatically accesses the user fieldtype data endpoint
- The endpoint returns user information including email addresses without verifying the "view users" permission
- The attacker harvests email addresses for further malicious activities such as phishing or social engineering
Detection Methods for CVE-2026-28424
Indicators of Compromise
- Unusual access patterns to the user fieldtype data endpoint from low-privilege accounts
- Elevated frequency of API requests to user-related endpoints from accounts without "view users" permission
- Log entries showing user data access from accounts that should not have such permissions
Detection Strategies
- Monitor API access logs for requests to user fieldtype data endpoints and correlate with user permission levels
- Implement alerting for control panel users accessing user data endpoints without appropriate permissions
- Review access logs for patterns indicating systematic enumeration of user information
Monitoring Recommendations
- Enable detailed logging for all control panel API endpoints
- Configure SIEM rules to detect access to sensitive user data by unauthorized accounts
- Periodically audit control panel user permissions and compare against actual access patterns
How to Mitigate CVE-2026-28424
Immediate Actions Required
- Upgrade Statamic CMS to version 5.73.11 or 6.4.0 or later immediately
- Review control panel access logs to identify any potential exploitation
- Audit user accounts that may have accessed user data without proper permissions
- Consider notifying users whose email addresses may have been exposed
Patch Information
Statamic has released security patches to address this vulnerability. Users should upgrade to one of the following versions:
- Statamic CMS v5.73.11 - For users on the 5.x branch
- Statamic CMS v6.4.0 - For users on the 6.x branch
For complete details about the vulnerability and the fix, refer to the GitHub Security Advisory GHSA-w878-f8c6-7r63.
Workarounds
- Restrict control panel access to only essential personnel until patching is complete
- Review and minimize user permissions to limit potential exposure
- Implement network-level access controls to restrict control panel access to trusted IP ranges
# Upgrade Statamic using Composer
composer require statamic/cms:^5.73.11
# Or for version 6.x
composer require statamic/cms:^6.4.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
